issn 2278-6856 derivation of framework and blueprint for ... · international journal of emerging...

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS) Web Site: www.ijettcs.org Email: [email protected], [email protected]

Volume 2, Issue 5, September – October 2013 ISSN 2278-6856

Volume 2, Issue 5 September – October 2013 Page 66

Abstract: Hacking attacks have been ever increasing for the past decades. In an attempt to contribute in building a more secure cyber-world in this respect, this research studies hundredsof international information security standards, frameworks and best practices and researches in the field of Defense-In-Depth, Defense-In-Breadth, and Deception and hiding for creating a specialized framework for hacking countermeasure, which is also supportedby hacking risks, information security standards and compliances, in addition to auditing against hacking activities. The data collected was adopted from various data sources, research literatures, and a wide range of related technical articles and textbooks in addition to relevant expertise’s opinions have been gathered to complement the work at various research stages. The findingof the study is a technical and administrative hacking countermeasure framework and blueprint thatwere validated via a series of questionnaires and interviews surveys throughout the research stages, and show that the developed hacking countermeasure framework and blueprint provide more effective solutions against hacking attacks than the current infosec practice models. Hence the framework and the blueprint shallestablish a roadmap for information systems security specialists to improve hacking countermeasure capabilities in their security designs. Keywords: Hacking processes, defense in depth, defense in breadth, deception and hiding, framework for hacking countermeasure. 1. INTRODUCTION The real challenge in cyber world is to be able to preserve confidentiality, integrity and availability of online services and protect it from hackers prying eyes. The objective of this research is to design and build hacking countermeasure framework and blueprint for hacker’s attack prevention, taking into consideration the drawbacks and limitations of the existing solutions and providing effective non-intrusive security with full blocking capabilities. This requirement is achieved by first studying and analyzing hacking activities, working out hacking processes and setting related risks, then acquiring the latest security recommendationscovering Defense-In-Depth, Defense-In-Breadth, and Hiding and Deception techniques, thirdly, checking compliance with selected information security standards, and finally set auditing for the final hacking countermeasure that is verified and validated using questionnaires and interview surveys at the various research stages.

2. LITERATURE REVIEW Despite of the advancesindefense in depth (DID) security systems, information security beaches increase and become more sophisticated that hackers have been successful in their attack missions over the years causing damages, steeling information, corrupting data and threatening national and international security, which led security experts to question the reliability and effectiveness of current security systems against hacking attacks [152, 549, 551-559]. Researches like [86], [91], [179], [296], [327], [544] brought viable hints and recommendations for defense in breadth (DIB) approaches, but not standalone DIB systems as such. Community Cyber Security Maturity Model (CCSMM) [560], on the other hand, was initially designed for communities. However, again as this model works perfect for awareness programs, the short limitation with this solution that it does not set clear instructions for defense in depth, nor hiding and deception techniques, but instead, it requests community to have in place. Therefore, to overcome the limitations in the current defense-in-depth systems,we adopted the nine hacking processes from [15], and then, for building the hacking countermeasurefor every hacking process, we applied the concept and recommendations of deception and hiding from [78], [137], [140], [141], [167], [247], [253], [259], [274-278], [375], [497], [568], [593], [612], and made the best use of enhanced defense-in-depth from [1-650]. As part of defense in breadth development, we adapted the Community Cyber Security Maturity Model (CCSMM) [560] to implement a global cyber security program. In this scenario, countries consist of individual communities of various public and private organizations/agencies; each community should be working toward improving their own security posture using enhanced defense in depth and establishing hiding and deception techniques, while countries can provide high level of leadership, awareness, assistance and guidance for communities on all framework levels, thereby enforcing consistency and event handling within the country itself and across the world, fulfilling defense in breadth requirements. This concept was enhancedwith recommendations from [86], [91], [179], [296], [327], [544].We also complemented the work with recommendations for incidents management and event handling from [78], [142-146], [211], [361], [362], [363], [457], [532], [544], [560].

Derivation of framework and blueprint for hacking countermeasure

SaidK.Al-Wahaibi1 andNorafidaBintiIthnin2

1,2Universiti Teknologi Malaysia, 81310 UTM Skudai, Johor. Malaysia




3. RESEARCH METHODOLOGY FOR THE HACKING COUNTERMEASURE FRAMEWORK For the sake of building the hacking countermeasure framework, many literatures were reviewed for the purpose of extracting the best practices that construct countermeasure solution for the individual nine hacking processes. As stated in section two, the framework development was directed to include latest defense in depth, hiding and deception techniques, and enhancing this with defense in breadth recommendations, in addition to recommendation for incidents management and event handling. From these solutions, hacking risks were extracted, and auditing was set. The final product was checked for compliance with selected information security standards. The work was verified and validated throughout the research stages using questionnaire and interview surveys. The four main framework domains are risk assessment module, standards and compliances module, hacking countermeasure module and auditing and penetration testing module. The hacking countermeasure domain module also splits into three sub modules, which were explained in the section two, these are, defense-in-breadth,hiding and deception, and defense-in-depth extracted as follows, for which the work process sheets are shown in Figure 1:

Figure 1 Sample research work sheets

i) [26], [27], [38], [47], [48], [49], [74], [75], [76], [97],[103], [121], [129], [137], [138], [151], [187], [221], [233], [235], [247-274], [507], [508], [510], [561],[565], [574], [585-588].

ii) Scanning: [15], [16], [17], [19], [24], [26], [27], [48], [49], [137], [138], [161], [175], [301-312], [463], [529], [581], [638], [640].

iii) Enumeration: [15], [16], [17], [19], [20], [23-28], [30], [48], [49], [58], [127], [137], [138], [158], [159], [163], [253], [294], [297], [313-321], [413], [503], [507], [508], [510], [513], [517], [571], [613-615], [620], [644], [649], [650].

iv) Gaining access: [6], [10], [13-29], [37], [43], [48], [49], [77], [78], [82], [134], [135], [137], [138], [183], [253], [322-357], [366-373], [376-445], [501-508], [510], [511], [513], [518], [520], [522-526], [528], [530], [532-540], [542], [548], [555], [556], [562],

[566], [567], [569], [570], [572-580], [582-586], [589-609], [616-621], [630-637], [645-648].

v) Escalating privileges: [15], [19], [23-27], [48], [49], [137], [138], [155], [446-450], [577], [578], [622-629].

vi) Pilfering: [3], [15-17], [20-30], [37], [38], [48], [49], [77], [78], [82], [94], [122], [137], [138], [156], [451], [464], [466-468], [511], [577], [578].

vii) Covering tracks: [15], [138], [289], [290], [292], [293], [295], [296], [306], [511], [577], [578], [641-643].

viii) Creating backdoors: [15], [123], [128], [138], [473-483], [511], [577], [578], [610-612].

ix) Denial of service: [15], [17], [20], [27], [138], [150], [313], [484-499], [505].

Attacks are categorized and arranged in nine hacking processes [15], and the hacking countermeasure is the outcome of merging new and existing solutions, the hacking countermeasure solution constitutes of enhanced and updated defense-in-depth for hacking countermeasure, hiding and deception techniques, and thirdly defense-in-breadth, which were represented on the hacking countermeasure models. To develop the solution from this model, a collection was made for countermeasures for the hacking attacks categorized within the nine hacking processes; these countermeasures include recommendations from various resources such as infosec frameworks, best practices, new researches on enhanced and updated defense-in-depth for hacking countermeasure, defense-in-breadth from resources as well as other hiding and deception countermeasures; this in the end constructed countermeasuresfor the hacking processes, and then map the product to information security standards and compliances, in addition, the basis for hacking auditing and penetration testing was put in place to check for the derived hacking risks, and weigh the deliverable outcome against information security standards and compliances, which makes in the end the hacking countermeasure framework and the blueprint as in Figure 2.

Figure 2 Hacking countermeasure framework and

blueprint




4. RESULTS AND ANALYSIS This section presents the questionnaire and interviews surveys results and analysis that are required for evaluating this research, which took a challenging scope to design and develop a proactive security solution that is able to protect information systems, by continuously giving hacking protection for servers and users. The objectives are directed on setting a base line design to derive the proposed information system security solution framework and blueprint by reverse engineering hacking techniques that is directing the countermeasures to the source of the problem, which is the hacking process.The countermeasures arebased on hacking processes risks, enhanced Defense-In-Depth (DID), Defense-In-Breadth (DIB), hiding and deception, auditing and penetration testing, incident management and event handling, as well as compliance with infosec standards. In order to verify the effectiveness and reliability of the thesis research outcome (hacking countermeasure framework and blueprint), a questionnaire survey is distributed to selected IT managers and infosec specialists. However, just to make sure that nothing has been missed or neglected in the questionnaire survey, interviews survey with the same questionnaire with senior information security experts was also conducted; these interviews and the questionnaire are documented and the result of this work and its analysis are presented below. 4.1The evaluation questionnaires This hacking countermeasure framework and the blueprint, which were designed to suit all types of organizations around the world, have been evaluated through the questionnaire that was distributed to selected organizations IT professionals with information security and hacking background, in addition to interviews with selected senior experts in the field. A specific security specialists sample was targeted from various universities, information technology authorities, CERT, Infoshield, andmilitary. The majority of this sample has infosec qualifications and hacking knowledge background, in

addition to PhD qualifications related to information security. This questionnaire survey was distributed electronically using Google survey tool, which automatically collected replies into a spread sheet and then created graphs of various kinds, and used many filtering tools to help analyzing information in a precise automated way. The questionnaire contains ten multiple choice questions, each with a free space for enhancement recommendations. The questionnaire was divided into three parts; part A addresses the objective of designing a framework for hacking countermeasures that accommodates enhanced Defense-in-Depth (DID), Defense-in-Breadth (DIB), hiding and deception techniques, incident management and even handling, hacking risks, auditing and penetration testing and compliancy with infosec standards; parts B and C address the objective of developing a blueprint for hacking prevention, providing effective non-intrusive security with full blocking capabilities, and filling the hacking countermeasure security gap in most current practice models, by incorporating enhanced Defense-in-Depth (DID), Defense-in-Breadth (DIB), hiding and deception techniques, incident management and even handling, security risks, auditing and penetration testing and compliancy with infosec standards. In addition, there is part D that is put for general input to the research and future development; this part contains the final question which requests the evaluator to give challenges to enforce the evaluated hacking countermeasures solution and enrich future developments. Table 1 givesa summary result that reflects the responses without discriminating between organizations for the questionnaire survey, where 20% of the survey sample is PhD holders, while MSc and BSc are 40% each. The majority are with long relevant work experience, 87% with special infosec qualification, and 80% have hacking background.

Table 1:Summary result for the hacking countermeasure framework and blueprint questionnaire survey. Summary result for the Hacking Countermeasure Framework and blueprint questionnaire survey

Comprehensive Results Percentages Part A relates mainly to the framework and addresses the objective of designing a framework for hacking

countermeasures that accommodates enhanced Defense-in-Depth (DID), Defense-in-Breadth (DIB), hiding and deception techniques, incident management and even handling, hacking risks, auditing and penetration

testing and compliancy with infosec standards. a1. After going through the hacking countermeasure framework and the blueprint, do you find reverse engineering hacking techniques that is directing the countermeasures to hacking activities will certainly provide more effective solutions against hacking to your organization?

Yes 73% No 0%

Maybe 20% Don't know 7%

a2. Do you find the horizontal nine hacking processes and the vertical solution domains presented in the framework fit for the purpose of non-intrusive, full hacking blocking capabilities in your organization?

Yes 67% No 0%





Summary result for the Hacking Countermeasure Framework and blueprint questionnaire survey Comprehensive Results Percentages

a3. Would you agree to the statement which says that this framework is the first of its kind in its approach, and will provide guidelines for future researches in the field of hacking countermeasures?

Yes 40% No 7%


Part B relates to the blueprint, and addresses the objective of developing a framework blueprint for hacking prevention, providing effective non-intrusive security with full blocking capabilities, and filling the hacking countermeasure security gap in most current practice models, by incorporating enhanced Defense-in-Depth

(DID), Defense-in-Breadth (DIB), hiding and deception techniques, incident management and even handling, security risks, auditing and penetration testing and compliancy with infosec standards.

b1. Are the provided hacking risks in the blueprint helpful in promoting infosec awareness including human factor effect, and will certainly improve hacking countermeasures in your organization?

Yes 87% No 0%


b2. Does the provided enhanced defense in depth in the blueprint set guidelines for information security specialists considering hacking countermeasures approaches to their information systems security designs, and would you recommend it to improve hacking countermeasures in your organization?

Yes 80% No 0%

Maybe 13%

Don't know 7%

b3. Do you find the provided hiding and deception techniques in the blueprint effective against hacking activities, and you would recommend it to improve hacking countermeasures in your organization?

Yes 87% No 0%


Part C relates to the blueprint, and addresses the objective of developing a framework blueprint for hacking prevention, providing effective non-intrusive security with full blocking capabilities, and filling the hacking countermeasure security gap in most current practice models, by incorporating enhanced Defense-in-Depth

(DID), Defense-in-Breadth (DIB), hiding and deception techniques, incident management and even handling, security risks, auditing and penetration testing and compliancy with infosec standards

c1. Do you support that the provided defense in breadth in the blueprint closes the security gap that is there in the current defense-in-depth solutions, especially those related to human factor effect, and will certainly improve hacking countermeasures in your organization?

Yes 80% No 7%


c2. Would you recommend the provided incident management and event handling in the blueprint to improve hacking countermeasures in your organization?

Yes 73% No 0%


c3. Do you find the provided auditing and penetration testing in the blueprint useful and will certainly improve hacking countermeasures in your organization?

Yes 80% No 0%


c4. Would you recommend the blueprint to provide a proactive security solution that is able to protect information systems by continuously guarding against hacking behaviors, and to strengthen and ease compliances requirements in your organization?

Yes 80% No 0%


Part D provides recommendations for general input to the research and future development d1. What are your challenges to enforce this hacking countermeasures solution, and enrich future developments?

(1) The costs in terms of performance. It is practical to be implemented in a large scale networks with limited




Summary result for the Hacking Countermeasure Framework and blueprint questionnaire survey Comprehensive Results Percentages

resources in some areas. (2) The performance in terms of time delay. It is practical for mission critical services. (3) The countermeasures may result in conflicts with different applications and services. (4) May require large resources like manpower, funds, equipment's, infrastructure, etc.

4.2Questionnaire survey analysis Based on the questionnaire survey result in Table 1, the breakdown analysis in Table 2 show that the majority (73%) of surveyed sample find reverse engineering hacking techniques that is directing the countermeasures to hacking activities will certainly provide more effective solutions against hacking to their organizations, compared to nil answered with “No”, 20% maybe and 7% don’t know. The percentage of people who find the horizontal nine hacking processes and the vertical solution domains presented in the framework fit for the purpose of non-intrusive, full hacking blocking capabilities in their organization is 67%, while no one answered with “No”; the rest went for the “Maybe” with 27%, and the “Don’t know” with 7%. Only 7% of the surveyed sample disagree to the statement which says that this framework is the first of its kind in its approach, and will provide guidelines for future researches in the field of hacking countermeasures, while 40% agree and 33% said maybe and 20% don’t know. For part A, it was noticed from the survey result that there was only one single answer "No" choice, scoring only 2.3% on the setting major guidelines for future researches in the field of hacking countermeasures objective questions (a1, a2 & a3 respectively), in addition, the comments on the answers were even more supportive, which clearly fulfills the requirement of first objective.

Questions b1 to b3 reveled an extremely high passing score for the objective concerning setting guidelines for information security specialists considering hacking countermeasures approaches to their information systems security designs; for instants, on all the three questions, there is no single response with “No”; and only 7% said “Don’t know” on all three; in contrast, 87% of the sample surveyed are approving that the provided hacking risks in the blueprint helpful in promoting infosec awareness including human factor effect, and will certainly improve hacking countermeasures in their organizations; 80% approved that theprovided enhanced defense in depth in the blueprint set guidelines for information security specialists considering hacking

countermeasures approaches to their information systems security designs, and would recommend it to improve hacking countermeasures in their organizations; and also 87% find the provided hiding and deception techniques in the blueprint effective against hacking activities, and would recommend it to improve hacking countermeasures in their organization; in addition the comments on the answers say that “the set guidelines are clear, powerful and well-studied which will help increase security measurements” which gives an indication of an excellent pass for the second objective and the blueprint.

The third objective is covered by questions c1 to c4, whose result is also grouped with section B to validate the blueprint. In this section, none of the questions got “No” answer, except one for question c1; on the other hand, 80% of the answers responded with “Yes” to questions c1, c3 and c4, and 73% for c2, which makes 78.25% in addition to 15% “Maybe”, compared to only 1.75% negative “No” answer and 5% “Don’t know” on this section; meaning that the survey sample firstly support that the provided defense in breadth in the blueprint closes the security gap that is there in the current defense-in-depth solutions, especially those related to human factor effect, and will certainly improve hacking countermeasures in their organization; secondly, recommend the provided incident management and event handling in the blueprint to improve hacking countermeasures in their organization, thirdly, the majority of survey sample find the provided auditing and penetration testing in the blueprint useful and will certainly improve hacking countermeasures in their organization, and finally, the sample also recommended the blueprint to provide a proactive security solution that is able to protect information systems by continuously guarding against hacking behaviors, and to strengthen and ease compliances requirements in their organization; which clearly leaves the flour for another success for the blueprint as well as the third objective. Note that the “Maybe” choice is normally regarded as 50 to 50 on each side, which 50% of the “Maybe” answers, which if it was added to the “Yes”, it would have raised the values even




higher up. Table 2 gives an analysis result of mapping research objectives to the survey questions.

Table 2:Analysis for the Hacking Countermeasure Framework and Blue print Questionnaire Survey

Analysis for the Hacking Countermeasure Framework and blue print questionnaire survey Ser Objective

s Survey questions Remarks Achievements

1 To design a framework for hacking countermeasures that accommodates enhanced Defense-in-Depth (DID), Defense-in-Breadth (DIB), hiding and deception techniques, incident management and even handling, hacking risks, auditing and penetration testing and compliancy with infosec standards.

a1. After going through the hacking countermeasure framework and the blueprint, do you find reverse engineering hacking techniques that is directing the countermeasures to hacking activities will certainly provide more effective solutions against hacking to your organization?

73% of surveyed sample find reverse engineering hacking techniques that is directing the countermeasures to hacking activities will certainly provide more effective solutions against hacking to their organizations, compared to nil answered with “No”, 20% maybe and 7% don’t know

The survey questionnaire and interviews were directed to IT managers, infosec specialists and experts to verify and validate the effectiveness and reliability of the research outcome, and result analysis validates the framework and the blueprint, and showed that the objectives have been fully met, as follows:

1. Sets major guidelines for future researches in the field of hacking countermeasures.

2. Sets guidelines for information security specialists considering hacking countermeasures approaches to their information systems security designs.

3. Designing a proactive security solution that is able to protect information systems by continuously guarding against hacking behaviors, by providing best solutions for hacking processes risks, enhanced Defense-In-Depth (DID), Defense-In-Breadth (DIB), hiding and deception, auditing and penetration testing, incident management and event handling, as well as compliance with infosec standards.

2 a2. Do you find the horizontal nine hacking processes and the vertical solution domains presented in the framework fit for the purpose of non-intrusive, full hacking blocking capabilities in your organization?

People who find the horizontal nine hacking processes and the vertical solution domains presented in the framework fit for the purpose of non-intrusive, full hacking blocking capabilities in their organization is 67%, while no one answered with “No”; the rest went for the “Maybe” with 27%, and the “Don’t know” with 7%.

3 a3. Would you agree to the statement which says that this framework is the first of its kind in its approach, and will provide guidelines for future researches in the field of hacking countermeasures?

7% of the surveyed sample disagree to the statement which says that this framework is the first of its kind in its approach, and will provide guidelines for future researches in the field of hacking countermeasures, while 40% agree and 33% said maybe and 20% don’t know

4 To develop a framework blueprint for hacking prevention,


b1 to b3 show that there is no single response with “No”, and only 7% said “Don’t know” on all three; in contrast, 87% of the sample surveyed are approving that the provided hacking risks in the blueprint helpful in promoting infosec awareness 5 b2. Does the provided



Volume 2, Issue 5 September – October 2013 2



providing effective non-intrusive security with full blocking capabilities, and fill the hacking countermeasure security gap in most current practice models, by incorporating enhanced Defense-in-Depth (DID), Defense-in-Breadth (DIB), hiding and deception techniques, incident management and even handling, security risks, auditing and penetration testing and compliancy with infosec standards.

enhanced defense in depth in the blueprint set guidelines for information security specialists considering hacking countermeasures approaches to their information systems security designs, and would you recommend it to improve hacking countermeasures in your organization?

including human factor effect, and will certainly improve hacking countermeasures in their organizations; 80% approved that theprovided enhanced defense in depth in the blueprint set guidelines for information security specialists considering hacking countermeasures approaches to their information systems security designs, and would recommend it to improve hacking countermeasures in their organizations; and also 87% find the provided hiding and deception techniques in the blueprint effective against hacking activities, and would recommend it to improve hacking countermeasures in their organization

6 b3. Do you find the provided hiding and deception techniques in the blueprint effective against hacking activities, and you would recommend it to improve hacking countermeasures in your organization?

7 c1. Do you support that the provided defense in breadth in the blueprint closes the security gap that is there in the current defense-in-depth solutions, especially those related to human factor effect, and will certainly improve hacking countermeasures in your organization?

None of the questions (c1 to c4) got “No” answer, except one for question c1; on the other hand, 80% of the answers responded with “Yes” to questions c1, c3 and c4, and 73% for c2, which makes 78.25% in addition to 15% “Maybe”, compared to only 1.75% negative “No” answer and 5% “Don’t know” on this section 8 c2. Would you recommend

the provided incident management and event handling in the blueprint to improve hacking countermeasures in your organization?

9 c3. Do you find the provided auditing and penetration testing in the blueprint useful and will certainly improve hacking countermeasures in your organization?

10 c4. Would you recommend the blueprint to provide a proactive security solution that is able to protect information systems by continuously guarding against hacking behaviors,






and to strengthen and ease compliances requirements in your organization?

General input to the research and future development; which contains the final question that requests the evaluator to give challenges to enforce the evaluated hacking countermeasures solution and enrich future developments

d1. What are your challenges to enforce this hacking countermeasures solution, and enrich future developments?

(1) Costs in terms of performance,and its practicality to be implemented in a large scale networks with limited resources in some areas. (2) Performance in terms of time delay, and its practicality for mission critical services. (3) Countermeasures may result in conflicts within different applications and services. (4) Resources include the manpower, funds, equipment's, infrastructure, do organizations have enough resources to enforce such solution. (5) The skill level of the teams responsible for carrying out different proactive and reactive activities, the skills requirements and training program needed to carry out each task. (6) People resistance to change. (7) Implementation required more time than other industrial approved solution.

These issues have been fully met in the research

4.3Interviews survey results and analysis Table 3 below gives a comparative summary outcome of the interviews, and maps them to the interview survey questions, while in the same time grouping them functionally under the desired objectives; the remarks column in Table 3 gives detailed outcome information of this mapping, and the achievement column clearly shows

the fully meeting of all objectives requirements, as well as the full validation and approval of the Hacking Countermeasure Framework (HCF) and the blueprint; and this is finally grants a positive answer to the statement of the problem "Can a hacking countermeasure framework provide more effective solutions against hacking attacks than the current infosec practice models?

Table 3: Results and analysis for the interviews survey for thehacking countermeasure framework and blueprint

Results and analysis for the Hacking Countermeasure Framework and blueprint interviews survey Questionnaire Interview 1 Interview 2 Interview 3 Remarks Achievements Part A relates mainly to the framework and addresses the objective of designing a framework for hacking

countermeasures that accommodates enhanced Defense-in-Depth (DID), Defense-in-Breadth (DIB), hiding and deception techniques, incident management and even handling, hacking risks, auditing and penetration testing and

compliancy with infosec standards.




Results and analysis for the Hacking Countermeasure Framework and blueprint interviews survey Questionnaire Interview 1 Interview 2 Interview 3 Remarks Achievements


The proposed Reverse Engineering Technique can improve the solutions against hacking to organization.

The framework and the blueprint develop a logical structure of security elements and processes which help to sense and stop the hacking attack.

Yes The provided reverse engineering hacking techniques will certainly provide more effective solutions against hacking.

The research fulfills the requirement of first objective, and the framework is validated.


This framework can offers customized, behavior-based security for each protected application.

The framework draws high concentration on security vertical domains which certainly enhance the hacking blocking capabilities if deployed in well structured environment

Yes The horizontal nine hacking processes and the vertical solution domains presented in the framework fit for the purpose of non-intrusive, full hacking blocking capabilities.


To my knowledge, it is first of its kind. This framework may provide guidelines for future researches due to threats interpretation skills, tools and techniques to effectively assess the threat to organization security.

Yes

Maybe The interviewers agree by 83.3% that this framework is the first of its kind in its approach, and will provide guidelines for future researches in the field of hacking countermeasures.

Part B relates to the blueprint, and addresses the objective of To develop a framework blueprint for hacking prevention, providing effective non-intrusive security with full blocking capabilities, and filling the hacking

countermeasure security gap in most current practice models, by incorporating enhanced Defense-in-Depth (DID), Defense-in-Breadth (DIB), hiding and deception techniques, incident management and even handling, security risks,

auditing and penetration testing and compliancy with infosec standards.






One of the best ways to make sure employees will not make costly errors in regard to information security is to institute organization wide security-awareness initiatives. Actually, there is no effective way to protect against a Social Engineering attack because no matter what controls are implemented, there is always that human factor which influences the behavior of an individual. The proposed method is helpful in promoting information security awareness to an extent.

Since the blueprint has been developed and classified in very clear way, I think yes it will do.

Yes The provided hacking risks in the blueprint are helpful in promoting infosec awareness including human factor effect, and will certainly improve hacking countermeasures.

This fulfills the requirement of meeting the objective concerning setting guidelines for information security specialists considering hacking countermeasures approaches to their information systems security designs; and it validates the blueprint.






To ensure complete security of an organization from all kinds of internal and external factors, the IS Experts must have deep understanding of the techniques that can be used by an attacker and the counter-measures to reduce the likelihood of success of the attack. Of course hacking countermeasure approach can be considered for Information systems security designs and based on its success, it can be promoted.

Yes I do Yes The provided enhanced defense in depth in the blueprint set guidelines for information security specialists considering hacking countermeasures approaches to their information systems security designs, and it is recommended to improve hacking countermeasures in organizations.


The framework includes a set of processes, principles and techniques. The hiding and deception techniques in the blueprint are workable against hacking activities and would like to implement in our organization.

Yes I do Yes The provided hiding and deception techniques in the blueprint are effective against hacking activities, and it is recommended to improve hacking countermeasures in organizations.

Part C relates to the blueprint, and addresses the objective of developing a framework blueprint for hacking





prevention, providing effective non-intrusive security with full blocking capabilities, and filling the hacking countermeasure security gap in most current practice models, by incorporating enhanced Defense-in-Depth (DID),

Defense-in-Breadth (DIB), hiding and deception techniques, incident management and even handling, security risks, auditing and penetration testing and compliancy with infosec standards


Humans are consistently referred to as the weakest link in security. An exclusive focus on the technical aspects of security, without due consideration of how the human interacts with the system, is clearly inadequate and I feel that the proposed method will improve hacking countermeasures in my organization.

Yes I do Yes The provided defense in breadth in the blueprint closes the security gap that is there in the current defense-in-depth solutions, especially those related to human factor effect, and will certainly improve hacking countermeasures.

This concludes meeting all objectives requirements, and approves the blueprint.


The provided incident management has the ability to provide management of information security events and incidents and I will recommend it.

Yes I do Yes The provided incident management and event handling in the blueprint improves hacking countermeasures.






Auditing and Penetration tests applied in this framework are valuable for several reasons:

1) Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence.

2) Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software.

3) Assessing the magnitude of potential business and operational impacts of successful attacks.

4) Testing the ability of network defenders to successfully detect and respond to the attacks.

Yes I do Yes The provided auditing and penetration testing in the blueprint and appendices B and F are useful and will certainly improve hacking countermeasures.





5) Providing evidence to support increased investments in security personnel and technology.


Today’s Internet requires a whole new approach to security. Almost everything is interconnected and taking place in real time. And that includes the threats. Effective security software must be alert at all times for new, ever - more devious malware. New types of threats require new types of protection. It always prefers to guard against hacking behaviors.

Yes I do Yes The interviewers recommend the blueprint to provide a proactive security solution that is able to protect information systems by continuously guarding against hacking behaviors, and to strengthen and ease compliances requirements

Part D provides recommendations for general input to the research and future development d1. What are your challenges to enforce this hacking countermeasures solution, and enrich future developments?

Acceptance by Management and the employee behavior.

As this solution has been mapped with International standards and best practices, I think challenges are limited such as:

1) Lack of

Mostly they are related with security awareness, social engineering, lack of skills set, resistance to change, trust and

1) Security awareness. 2) Social engineering. 3) Lack of skills set. 4) Resistance to change. 5) Trust and confidentiality issues 6) Implementation

These remarks have been addressed in the research.





experience and exposure to some security domain.

2) Implementation required extra time for meeting expected outcome

confidentiality issues etc.

required extra time for meeting expected outcome

4.4Evaluation summary Questionnaire and interviews surveys were conducted and analyzed for evaluating this research by verifying meeting the objectives, and assure effectiveness and reliability of the outcome framework and blueprint; this was done via a questionnaire survey that is distributed to selected IT managers and infosec specialists, in addition to interview surveys with the same questionnaire with senior information security experts from public and private sectors, military, universities, and CERT, and presented the major findings in this research with respect to the technical requirements, and mapped them with the evaluation result, which shows that the technical requirements and the scope of work were fully achieved in this research. This concludes the validation and meeting of the research objectives and approves the hacking countermeasure framework and blueprint introduced with all its contents including hacking processes risks, enhanced Defense-In-Depth (DID), Defense-In-Breadth (DIB), hiding and deception, auditing and penetration testing, incident management and event handling, as well as compliance with infosec standards.

Finally it is clear that this is the answer too for the statement of the problem "Can a hacking countermeasure framework provide more effective solutions against hacking attacks than the current infosec practice models?", which is “Yes” as said in the questionnaire and interview surveys. 5. DISCUSSION This section discusses the major findings of this research as a result of the research evaluation,and mapsitto the technical requirements that were set for the As-To-Be framework and blueprint development, and used to direct the countermeasures to the hacking processes, whichderived hacking processes risks, enhanced Defense-In-Depth (DID), Defense-In-Breadth (DIB), hiding and deception, auditing and penetration testing, incident management and event handling, as well as compliance with infosec standards; the summary of this mapping and the discussion is given in Table 4.

Table 4: Mapping of the hacking countermeasures technical requirement to research findings

Hacking countermeasures technical requirement versus research findings

Technical Requirements

Survey questions Findings

Applying reverse engineering hacking techniques by directing the countermeasures to hacking activities


Achieved.

73% of surveyed sample find reverse engineering hacking techniques that is directing the countermeasures to hacking activities will certainly provide more effective solutions against hacking to their organizations, compared to nil answered with “No”, 20% maybe and 7% don’t know


Achieved.

People who find the horizontal nine hacking processes and the vertical solution domains presented in the framework fit for the purpose of non-intrusive, full hacking blocking capabilities in their organization is 67%, while no one answered with “No”; the rest went for the “Maybe” with 27%, and the “Don’t know” with 7%.








Achieved. 7% of the surveyed sample disagree to the statement which says that this framework is the first of its kind in its approach, and will provide guidelines for future researches in the field of hacking countermeasures, while 40% agree and 33% said maybe and 20% don’t know, in addition, the interviewers agree by 83.3%

Provision of hacking risks


Achieved

b1 show that there is no single response with “No”, and only 7% said “Don’t know”; compared to 87% of the sample surveyed are approving that the provided hacking risks in the blueprint helpful in promoting infosec awareness including human factor effect, and will certainly improve hacking countermeasures in their organizations.

Provision of enhanced Defense in Depth (DID)


Achieved b2 show that there is no single response with “No”, and only 7% said “Don’t know”; in contrast, 80% approved that theprovided enhanced defense in depth in the blueprint set guidelines for information security specialists considering hacking countermeasures approaches to their information systems security designs, and would recommend it to improve hacking countermeasures in their organizations.

Provision of hiding and deception techniques


Achieved b3 show that there is no single response with “No”, and only 7% said “Don’t know”; on the other hand 87% find the provided hiding and deception techniques in the blueprint effective against hacking activities, and would recommend it to improve hacking countermeasures in their organization.

Provision of Defense in Breadth (DIB)


Achieved c1 got only one “No” answers; on the other hand, 80% of the answers responded with “Yes” to the questions.

Provision of incident management and event handling


Achieved c2 got none “No” answers; and 73% of the answers responded with “Yes”, in addition to 27% “Maybe”.

Provision of auditing and penetration testing


Achieved c3 got none “No” answers, and 80% of the answers responded with “Yes” to questions .







Provision of compliances requirements


Achieved c4 got none “No” answers; in contrast, 80% of the answers responded with “Yes” to questions.

6. Conclusion This research develops hacking countermeasure framework and blueprint by finding solutions for the actual hacking processes using defense-in-depth, defense-in-breadth, deception and hiding, incident management and event handling, in addition to hacking risk assessment, auditing and compliance. The developed hacking countermeasure framework has four main domain components, these are the risk assessment, the hacking countermeasures, auditing and penetration testing and the forth is compliances with information security standards; from the framework, a blueprint was also developedwhich provides solutions for all the hacking processes. Both the framework and the blueprintwerecontinuously validated successfully throughout the research via questionnaires and interviews surveys. Finally, we hope that this work will contribute in providing more effective future solutions against hacking attacks. REFERENCES [1] Brancik, Kenneth C. Insider computer

Fraud.Auerbach Publications. 2008. [2] Guido, Schryen. Anti – Spam Measures.Springer.

2007. [3] Spivey, Mark D. Practical Hacking Techniques and

Countermeasures.Auerbach Publications (USA).2007.

[4] Paul Nelson, Amelia Philips, Christopher Steuart. Guide to computer forensics and investigations. Course technology (USA). 2010.

[5] Eoghan Casey. Digital evidence and computer crime, 3rd edition.Elsevier (USA). 2011.

[6] Anderson, R. Security Engineering.2ndedition.Wiley. 2008.

[7] David Maynor, Lance James, Spammer-X, Tony Bradley, Brad Haines, Brain Baskin, Anand Das, HershBhargava, Jeremy Faircloth, Craig Edwards, Michael Gregg and Ron Bandes. Emerging Threats Analysis.Syngress Force. 2006.

[8] Christopher M. King, Curtis E. Dalton and T. Ertem Osmanoglu. Security architecture.ASA Press. 2001.

[9] Mollin, Richard A. Codes.Chapman& Hall /CRC. 2005.

[10] Smith, S. and Marchesini, J. The Craft of System Security. Addison Wesley. 2008.

[11] Markus Schumacher, Eduardo Fernandez-Buglioni, Duane Hybertson and Frank Buschmann. Security Patterns.Wiley. 2006.

[12] Swenson, C. Modern Cryptanalysis Techniques for Advanced Code Breaking. 1st edition. Wiley Publishing (USA).2008

[13] Bryan Burns, Dave Killion, Nicolas Beauchesne and Eric Moret. Security Power Tools.1stedition.O’ReillyMedia(USA).2007.

[14] Gregg, M. Build Your Own Security Lab. 1st edition. Wiley Publishing (USA). 2008.

[15] McClure, S. Scambray, J. Kurtz G. Hacking Exposed Network Security Secrets and Solutions. 7th edition. McGraw-Hill/ Osborne (USA). 2012.

[16] Mike Shema, Chris Davis and David Cowen. Anti-Hacker Tool Kit.3rdedition.McGraw-Hill/ Osborne(USA).2006.

[17] Fadia, A.The Unofficial Guide to Ethical Hacking.2ndedition.Thomson Course Technology(Canada).2006.

[18] Department of Defense, Cliff Wang, Steven King, Ralph Wachter, Robert Herklotz, Chris Arney, Gary Toth, David Hislop, Sharon Heise and Todd Combs. Department of Defense Sponsored. Information Security Research. 1st edition. Wiley Publishing(USA). 2007

[19] Churchhouse, R.Codes and Ciphers. 1stedition.CambridgeUniversityPress(USA). 2002

[20] Erickson, J.Hacking The Art of Exploitation. 2nd edition. William Pollock (USA). 2008

[21] Cox, K. and Greg, C. Managing Security with Snort and IDs Tools. 1stedition.O’Reilly Media (USA). 2004

[22] Kanneganti, R. and Chodavarapu, P.SOA Security.1st edition. Manning Publications CO(USA). 2008

[23] Moskowitz, J. Group Policy Fundamentals, Security, and Troubleshooting.1st edition. Wiley Publishing(Canada). 2008

[24] Seacord, R C.The Cert C Secure Coding Standard.1st edition. Addison Wesley(USA).2007

[25] Marty, R.Applied Security Visualization.1st edition. Addison Wesley(USA). 2008




[26] Chess, B. and West, J.Secure Programming with Static Analysis.1st edition.(USA). Addison Wesley.2007

[27] Ali Jahangiri. Practical hacking and countermeasures. Ali Jahangiri Org (USA). 2009.

[28] Foster, J. C.Writing Security Tools and Exploits. 1st edition. Andrew Williams(Canada).2006

[29] Hal Flynn.Designing and Building Enterprise DMZs.SyngressPublishing (USA). 2006.

[30] Donahoo, M. J. and Calvert, K. L.TCP/IP Sockets in C practical guide for programming. 1stedition.Morgan Kaufmann Publishers (USA). 2001

[31] Snedaker, S.Syngress.IT Security Project Management. 1st edition. Andrew Williams(Canada). 2006

[32] Rami, Abdulaziz.Viruses and Hacking.Albara. 2005. [33] Robert Schifreen.Defeating the Hackers. Wiley (UK).

2006. [34] Christian Barnes, Tony Bautts, Donald Lloyd, Cric

Ouellet, Jeffrey Postuns, David M. Zudzian and Neal O’Farrel. Hack Proofing Your Wireless Network. Syngress (USA). 2002.

[35] Harold F. Tipton and Micki Krause. Information Security Management Handbook. 6th Edition. Auerbach Publication (USA). 2007.

[36] Kaughal Solanki, Kenneth Sullivan and Upamanyu Madhow. Information Hiding. 10th edition. Springer (USA). 2008

[37] Robert J Shimonski, Will Schmied, V Chang and Thomas W Shinder.DMZs for Enterprise Networks.SYNGRESS. 2003

[38] Andress,Mandy.CISSP.SYNGRESS. 2001 [39] Woody Browne, Brian Danielyan, Edgar Caesar,

Jamie Osipov, Vitaly Knipp and Eric Weaver.Cisco Network Security. SYNGRESS. 2003

[40] Cisco Systems.The foundation for Secure E-Business. Cisco Systems Inc. 2003.

[41] Lockhart,Andrew.Network Security Hacks - 2nd edition. O’REILLY (USA). 2006.

[42] McNab, Chris. Network Security Assessment - 2nd edition. O’REILLY (USA). 2008.

[43] Markus Jakobsson and Zulfikar Ramazan. Crimeware. Symantec Press. (USA). 2008.

[44] Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey and Terron Williams. Gray Hat Hacking. 3rd edition. McGraw Hill. (USA). 2011.

[45] Hassan, Ahmed. Hackers. Albara. 2004. [46] Hassan, Ahmed.and Farooq. Hackers. Albara. 2005 [47] Barman, Scott. Writing Information Security

Policies. New Riders. 2002 [48] Schneier, Bruce.AppliedCryptography.WILEY. 1996 [49] Lingfeng, Yu. Multidimensional data encryption with

virtual optics. Hong Kong University of Science and Technology. 2004

[50] Hutton, Keith. and Ranjbar, Amir. Designing Cisco Network Architectures. PEARSON. 2006

[51] Sommerville. Software Engineering. Addison-Wesley. 2011

[52] Plauger and Brodie. Standard C a reference. Prentice Hall. 1995

[53] Nance, Barry. Network Programming in C. Prentice Hall. 1997

[54] Denning, D. E. Assessing the CNO Threat of Foreign Countries, in “Information Strategy and Warfare (J. Arquilla and D. Borer eds.)”. Routledge. (USA). 2007

[55] Denning, P. J. and Denning, D. E. Discussing Cyber Attack. Comm. of the ACM, Vol. 53, No. 9. Sept. 2010

[56] Franda, M.Internet development and politics in five world regions. Lynne Rienner Publisher. 2002

[57] Douglas Comer. Computer Networks and Internets. 5th edition. Pearson Education (USA). 2008

[58] Joel Scambray. Hacking Exposed Windows. Microsoft Windows Security Secrets and Solutions. 3rd Edition.McGraw-Hill Osborne Media. (USA). 2007

[59] Denning, D. E. The Web Ushers In New Weapons of War and Terrorism. Scientific American. August 18, 2008.

[60] Denning, D. E. Terror's Web. How the Internet is Transforming Terrorism, in “Handbook on Internet Crime (Y. Jewkes and M. Yar, eds.)”. Willan Publishing. (USA). 2010.

[61] Shah,G. Five Steps to Digital safety. Stevens Publishing Corporation. 2002

[62] Northcutt, Stephen. E-Warfare. SANS Institute. 2001 [63] Richard A Clarke and Robert Knake. Cyber War. The

next Threat to National Security and what to do about it. Ecco. (USA). 2010.

[64] IEEE. 8012.10 Standard for Interoperable Local Network Security (SILS. Available at. http.//ties.itu.int/ftp/public/itu-t/tsg15opticaltransport/COMMUNICATIONS_2001-2004/ieee_802_3/ieee_802_3_1_0310_q12_cp.html.Visited on 24/July/2011.

[65] IETF. IPSEC Working Group.Available at. http.//datatracker.ietf.org/wg/ipsec/charter. Visited on 24/July/2011.

[66] IETF. SAAG Security Area Advisory Group. Available at https.//www.ietf.org/mailman/listinfo/saag. Visited on 24/July/2011

[67] ISO/IEC TR 19791.2010. Information technology - Security techniques - Security assessment of operational systems. Available on. http.//www.iso.org/iso/search.htm?qt=ISO+15408&published=on&active_tab=standards. Visited on 17/August 2011.

[68] ISO 15408-1.2009. Information technology - Security techniques - Evaluation criteria for IT security - Part 1. Introduction and general model. Available on. http.//www.iso.org/iso/search.htm?qt=ISO+15408&p




ublished=on&active_tab=standards. Visited on 17/August 2011.

[69] ISO 15408-2.2008. Information technology - Security techniques - Evaluation criteria for IT security - Part 2. Security functional components. Available on. http.//www.iso.org/iso/search.htm?qt=ISO+15408&published=on&active_tab=standards. Visited on 17/August 2011.

[70] ISO 27002.2005. Information technology-Security techniques-Code of practice for information security management. Available on. http.//www.iso.org/iso/search.htm?qt=ISO+15408&published=on&active_tab=standards. Visited on 17/August 2011.

[71] ITU-T Recommendation X.273. Open Systems Interconnection Security Protocol. ITU. (Switzerland). Available on. http.//eu.sabotage.org/www/ITU/X/X0273e.pdf. Visited on 17/August 2011.

[72] ITU-T Recommendation X.509. Open systems interconnection – The Directory. Public-key and attribute certificate frameworks.ITU. (Switzerland). Available on. http.//www.itu.int/rec/T-REC-X.509-200811-I/en. Visited on 17/August 2011.

[73] Hoyle, David. ISO 9000 Quality Assessment Handbook. BH. 2009.

[74] Raval, V. and Fichadia, A. Risks, Controls, and Security. Concepts and Applications. Wiley (USA). 2007

[75] Christopher King, ErtemOsmanoglu and Curtis Dalton. Security Architecture Design, Deployment and Operations. McGrraw-Hill (USA). 2001

[76] Jan Killmeyer Tudor. Information Security Architecture. Addison CRC Press (USA). 2001

[77] Adhijit Balapukar and others. Distributed Systems Security. Wiley (USA). 2009

[78] Raymond, J. Panko. Corporate Computer and Network Security. 2ndedition. PEARSON. (USA). 2011.

[79] Lary B.Christensen, R Burke Johnson and Lisa A. Turner. Research Methods. 11th edition. Allyn and Bacon (USA). 2010

[80] Paul D. Leedy and Jeanne Ellis Ormrod. Practical Research Planning and Design. 10th edition. Pearson (USA). 2012

[81] Mike Meyers & Shon Harris. Certified Information Systems Security Professional. Mitp-Verlag (USA). 2009

[82] EC-Council. Ethical Hacking and Countermeasures. Secure Network Infrastructures. Course Technology. (USA). 2009

[83] Breach Security Labs. White paper. Web Hacking Incidents Report 2009. Breach Security Inc. (USA) 2009. Available at. http.//www.breach.com/resources/whitepapers/ index.html. Visited on. 02/November/2009.

[84] Internet Crime Complaint Centre. Annual Report on Internet Crime Released. IC3 (USA). 2009.

Available at. http.//www.ic3.gov/media/2009/090331.aspx. Visited on. 14/February/2010.

[85] UK Government. BERR Survey on Security Breaches. PWC (UK). 2008.Available at. http.//www.pwc.co.uk/eng/publications/berr_information_ security_breaches_survey_2008.html. Visited on. 08/February/2009.

[86] Breach Security Labs. WEB Defender and OWASP top ten. Breach Security Inc. (USA) 2010. Available athttp.//www.owasp.org/index.php/Category. OWASP_Top_Ten_ Project, Visited on 12/May/2010.

[87] Marcus Aldrich .CISO Middle East Executive Summit. LLOYDS. (Oman). 2009.

[88] Sun Tzu & Thomas Cleary. The Art of War. Shambhala Publications Inc. (USA). 2005.

[89] Infoguard AG. Seminar on Ethical Hacking and Cyber Crime. Infoguard (Switzerland). 2010.

[90] Symantec. Global Internet Security Threat Report.Symantic. (USA). 2009.

[91] Cisco. Cisco security Agent. Cisco Corporation. (USA). 2009. Available at. www.cisco.com/en/us/prod/collateral/vpndevec/ ps5707/ps5757/prod_white_ paper0900aecd802f438.html. Visited on. 09/September/2009.

[92] Jaikumar Vijayan. Hackers crack secure authentication. Available at. http.//www.cio.co.uk/news/3208832/hackers-crack-secure-authentication-says-gartner/.Visited on. 09/September/2009.

[93] Axel Buecker, Martin Borrett, Carsten Lorenz and Calvin Powers. Introducing the IBM security framework and IBM security blueprint to realize business-driven security. Available at. http.//www.redbooks.ibm.com/redpapers/pdfs/ redp4528.pdf. Visited on. 12/August/2010

[94] Ohio Supercomputer Center Information Security Framework. Available at. www.osc.edu/policies.Visited on. 12/August/2010.

[95] Tasmanian Government information security framework. Available at. http.//www.egovernment.tas.gov.au/. Visited on. 07/August/2010.

[96] Tasmanian Government information security guidelines. Available at. http.//www.egovernment.tas.gov.au/. Visited on. 06/August/2010.

[97] Peni D. Smith. Developing & Implementing an Information Security Policy and Standard Framework. SANS Institute. 2004. Available at. http.//www.sans.org/readings_room. Visited on. 21/August/2009.

[98] Trusted info sharing nw. CIO, CISO and Practitioner Guidance IT Security Governance. (Australia).2007. Available at http.//www.tisn.gov.au




[99] IT Governance Portal. Available at http.//www.itgovernance.co.uk/it_governance.aspx. Visited on. 01/October/2010.

[100] Alan Calder. Developing an IT Governance framework.IT adviser. Winter 2008. Issue 56. Available at. http.//principia.vbnlive.com/site/themes.asp. Visited on. 23/December/2009.

[101] Gary McGraw, Brian Chess & Sammy Migues. Building Security In Maturity Model BSIMM2. BSIMM2. 2010. Available at. http.//bsimm2.com/download/ .Visited on. 13/August/2010.

[102] Marcia Savage. Under Attack. Information Security Magazine. May 2010. Available at. http.//viewer.media.bitpipe.com/1152629439_931/1272910610 _295/0510_ISM_eM.pdf .

[103] Sergey Bratus. What hackers learn that the rest of us don’t. IEEE Security & Privacy. July/August 2007. Vol 5 No. 4 pp 72-75.

[104] Wayne Jones and Al Gallo. A Process-Based Approach to handling Risks. IEEE– IT Professional. March/April 2007. Vol.9, issue 2.

[105] INNOVA.Infosec Management Framework. 2010. Available at. http.//innova-sa.eu/security/information-security-management-isms.html. Visited on. 15/November/2010.

[106] Indiana Office of Technology. Information Security Framework. (State of IndianaUSA).Version 2.0. 2007.

[107] Randy Nichols, Dan Ryan, and Julie Ryan. Defending Your Digital Assets. (USA). 2000.

[108] EC-Council. Penetration Testing. Network & Perimeter Testing. Course Technology. (USA). 2010

[109] Ernust &Yung. Ernust & Yung's BS7799 Risk assessment approach. Ernust &Yung Corporation (USA). 2006

[110] D. Monarchi and G. Puhr. A Research Topology for Object Oriented Analysis and Design.Communications of the ACM. 1992. Vol. 33, No, 9, pp 35-47

[111] G. Engels, RA Leiden And G Kappel. Object-Oriented System Development. Leiden University. (Netherlands). Available at. http.//www.citeseerx.ist.psu.edu.viewdoc.Visited on. 10/Dec/ 2009.

[112] Jennifer L. Bayuk, Jason Healey, Paul Rohmeyer, Marcus Sachs, Jeffrey Schmidt, Joseph Weiss. Cyber security policy guidebook. John Wiley & Sons (USA). 2012.

[113] J. Thelin P.J. Murray. A Public Web Services Security Framework Based on Current and Future Usage Scenarios. CSREA Press (USA). 2002. Available at. http.//scholar.google.com/.Visited on. 21/August/2009.

[114] 114. Pakpoom Prechapanich and others. The Development of Web Services Security Framework

for Ministry of Information and Communication Technology in Thailand. (Thailand). 2005. Available at. http.//scholar.google.com/. Visited on. 02/July/2010.

[115] ISACA. COBIT. ISACA Organization. 2011. Available at. http.//www.isaca.org/Template.cfm? Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981.Visited on. 2/Jul/2009.

[116] ITIL. ITIL. ITiL official website. 2011. Available at. ITIL®, http.//www.itil-officialsite.com/home/home.asp.Visited on. 26/5/2011.

[117] ISO/IEC. ISO/IEC 27002.2005 International standard code of practice for information security management.ISO Organization. Geneva, Switzerland. 2011. Available at. http.//www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50297.Visited on 26/5/2011.

[118] PCI DSS. Verify PCI Compliance. Official PCI Security Standards Council Site. Available at. http.//www.pcisecuritystandards.org/ security_standards/supporting_ documents_home.htm .Visited on. 02/August/2009.

[119] RiskServer.Window to Security Risk Analysis, ISO 17799, Information Security Policies, Audit & Business Continuity. Available at. http.//www.riskserver.co.uk/.Visited on 03/August/2009.

[120] Kinniburgh, J. and Denning, D. E. Blogs and Military Information Strategy, in “Information Strategy and Warfare (J. Arquilla and D. Borer eds.)”. Routledge. (USA). 2007.

[121] Eldad Eilam. Reversing. Secrets of Reverse Engineering. Wiley Publishing (USA). 2005.

[122] Steven Adair, Blake Hartstein, Mathew Richard and Michael Ligh. Malware Analyst's Cookbook and DVD. Tools and Techniques for Fighting Malicious Code. Wiley. (USA). 2010.

[123] Bill Blunden. The Rootkit Arsenal. Jones & Bartlett Publishers. (USA). 2009.

[124] Enrico Perla and Massimiliano Oldani. A Guide to Kernel Exploitation. Attacking the Core. Syngress. (USA). 2010.

[125] NiteshDhanjani, Billy Rios and Brett Hardin. Hacking. The Next Generation (Animal Guide).O'Reilly Media. (USA). 2009.

[126] DafyddStuttard and Marcus Pinto. The Web Applications Hacker's Handbook. Discovering and Exploring Security Flaws. Wiley. (USA). 2011.

[127] Joel Scambray and others.Hacking Exposed Web Application.3rd Edition. McGraw-Hill Osborne Media. (USA). 2010.

[128] Michael Davis, Sean Bodmer and Aaron. Hacking Exposed. Malware and Rootkits Secrets & Solutions. 3rdEdition. McGraw-Hill Osborne Media. (USA). 2009.




[129] ISACA. Data Leak Prevention. ISACA Organization. (USA). 2010. Available at. www.isaca.org Visited on. 20 March 2011.

[130] Denning, D. E. Barriers to Entry. Are They Lower for Cyber Warfare?.IO Journal. April 2009.

[131] Kevin Poulsen. Kingpin. How One Hacker Took Over the Billion-Dollar Cybercrime Underground, Crown.(USA). 2011.

[132] Deviant Ollam. Practical Lock Picking. A Physical Penetration Tester's Training Guide. Syngress. (USA). 2010.

[133] Christopher Hadnagy and Paul Wilson. Social Engineering. The Art of Human Hacking. Wiley. (USA). 2011.

[134] Justin Clarke. SQL Injection Attacks and Defense. Syngress. (USA). 2009.

[135] Mark Russinovich and Howard Schmidt. Zero Day. A Novel. Thomas Dunne Books. (USA). 2011.

[136] Denning, D. E. The Ethics of Cyber Conflict, in “Information and Computer Ethics (K. E .Himma and H. T. Tavani eds.)”.Wiley. (USA). 2007.

[137] Yuill, J., Denning, D., and Feer, F. Using Deception to Hide Things from Hackers. Journal of Information Warfare. 2006. Vol. 5, No. 3, pp. 26-40.

[138] OWASP. A Guide to Building Secure Web Applications and Web Services. OWASP. (2005). Available at. http.//www.owasp.org. Visited on 10/Dec/ 2009.

[139] EC-Council. Ethical Hacking and Countermeasures. Web Applications and Data Servers. Course Technology. (USA). 2009.

[140] Denning, D. E. A View of Cyberterrorism Five Years Later, “Readings in Internet Security. Hacking, Counterhacking, and Society (K. Himmaed.)”. Jones and Bartlett Publishers. (USA). 2006.

[141] Joseph Menn. Fatal System Error. The Hunt for the crime Lords who are bringing down the internet. Public Affairs. (USA). 2010.

[142] Tommie W. Singleton &Aaron J. Singleton.Fraud Auditing and Forensic Accounting.4th Edition.Wiley. (USA). 2010

[143] Joseph T. Wells. Principles of Fraud Examination. 2ndEdition. Wiley. (USA). 2008.

[144] EC-Council. Computer Forensics. Investigating Network Intrusions and Cybercrime. Course Technology. (USA). 2009

[145] EC-Council. Computer Forensics. Secure Network Infrastructures. Hard Disks and Operating Systems .Course Technology.(USA). 2010

[146] Michael Cross. Scene of the Cybercrime.2ndedition. Syngress. (USA). 2008

[147] The Honeynet project. Know your enemy. Addison Wesley. (USA). 2004.

[148] Dieter Gollmann. Computer Security.3rd edition. Wiley (USA). 2011.

[149] Mark Stamp. Information Security. Wiley. (USA). 2006.

[150] Lincoln D. Stein and John N. Stewart. Securing against Denial of Service attacks. W3C-The World Wide Web Security FAQ. W3C Organization. Available at. http.//www.w3.org/Security/faq/wwwsf6.html.Visited on. 7th April, 2011.

[151] Nitesh Dhanjani, Billy Rios and Brett Hardin. Hacking the Next Generation. O'Reilly. (USA). 2009.

[152] Steven Levy. Hacking Incidents. O'Reilly. (USA). 2010

[153] Shon Harris. CISSP Practice Exams. McGraw-Hill (USA). 2010.

[154] Edward Amoroso. Cyber Attack. Protecting National Infrastructure. Butterworth-Heinemann. (USA). 2010

[155] Lincoln D. Stein and John N. Stewart. Protecting Confidential Documents at Your Site. W3C-The World Wide Web Security FAQ. W3C Organization. Available at. http.//www.w3.org/Security/faq/wwwsf5.html. Visited on. 7th April, 2011.

[156] Lincoln D. Stein and John N. Stewart. Server Side Security. W3C-The World Wide Web Security FAQ.W3C Organization. Available at. http.//www.w3.org/Security/faq/wwwsf3.html. Visited on. 7th April, 2011.

[157] Verizon RISK Team, United States Secret Service. Data Breach Investigations Report. Verizon Business. July 2010. p.26.

[158] Lincoln D. Stein and John N. Stewart. CGI (Server) Scripts. W3C-The World Wide Web Security FAQ.W3C Organization. Available at. http.//www.w3.org/Security/faq/wwwsf4.html. Visited on. 7th April, 2011.

[159] OWASP. Session Hijacking. OWASP Organization. July 2011. Available at. https.//www.owasp.org/index.php/Session_Fixation. Visited on. 31 July 2011.

[160] Said K. Al-Wahaibi, Norafida Binti Ithnin and Ali H. Al-Badi. Information Security Solutions Status and the Roadmap for Future Requirements.Journal of Information Assurance & Cyber security. (USA). June 2011. Vol. 2011 (2011). Article ID 664951. Available at. http.//www.ibimapublishing.com/journals/JIACS/jiacs.html. Visited on. 10 July 2011.

[161] ISO/IEC 18028-5.2006. Information technology - Security techniques - IT network security - Part 5. Securing communications across networks using virtual private networks. Available on. http.//www.iso.org/iso/search.htm?qt=ISO+15408& published =on&active_tab=standards. Visited on 17/August 2011.

[162] ISO/TS 17574.2009. Electronic fee collection - Guidelines for security protection profiles. Available on. http.//www.iso.org/iso/search.htm?qt=




ISO+15408&published=on&active_tab=standards. Visited on 17/August 2011.

[163] ISO/IEC PDTR 20004. Information technology - Security techniques - Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045. Available on. http.//www.iso.org/iso/search.htm?qt=ISO+15408&published=on&active_tab=standards. Visited on 17/August 2011.

[164] André M., Nedislav N., Christian G., André K., Nicolas R. and Ralf S. A Generic Metamodel for IT Security. International Conference on Availability, Reliability and Security. 2010. pp.430-437.

[165] Sanjay G., Salvatore B. and Laura I. A Resilient Network that Can Operate Under Duress. To Support Communication between Government Agencies during Crisis Situations. 37th Annual Hawaii International Conference on System Sciences (HICSS'04). 2004. vol. 5, pp.50123a.

[166] Michael A., Partha P., Franklin W. and Christopher J. Adaptive Use of Network-Centric Mechanisms in Cyber-Defense.IEEE International Symposium on Network Computing and Applications. 2003. PP. 179.

[167] Youngho Cho, Gang Qu, and Yuanming Wu. Insider Threats against Trust Mechanism with Watchdog and Defending Approaches in Wireless Sensor Networks. IEEE CS on Security and Privacy Workshops. IEEE computer society (USA). 2012. Pages 134 - 141.

[168] Moohun L., Sunghoon C., Changbok J., Heeyong P. and Euiin C. A Rule-based Security Auditing Tool for Software Vulnerability Detection. International Conference on Hybrid Information Technology. (ICHIT'06). 2006. Vol 2 pp. 505-512.

[169] SANS. Audit Vulnerability Scan Policy. SANS Institute. (USA). 2006

[170] Slim R., Jihene K. and Noureddine B. Cognitive-Maps Based Investigation of Digital Security Incidents. IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering. 2008. PP. 25-40.

[171] Byunggil L., Seungjo B. and Dongwon H. Design of Network Management Platform and Security Framework for WSN. IEEE International Conference on Signal-Image Technologies and Internet-Based System. 2008. PP. 640-645.

[172] Hongxia J. and Jeffery L. Forensic Analysis for Tamper Resistant Software. International Symposium on Software Reliability Engineering. 2003. PP. 133.

[173] University of Salford. Information Security PolicyVersion. 1.0. University of Salford. (UK). 2006.

[174] David H. Making sense of anti-malware comparative testing. Information Security Technical Report. February 2009. Volume 14, issue 1, pp. 7-15.

[175] Sunbelt Software. White Paper. VIPRE Email Security for Exchange Best Practices Guide. Sunbelt Software Inc. (USA). 2010.

[176] Barry D. C. and Steve B. A Review of monitoring mechanisms for national sustainable development strategies. a report prepared for the Organization for Economic Cooperation and Development. International Institute for Environment and Development - Issue No. 27. (Paris). July 2006.

[177] Munirul U., Zurainibt I. and Zailani M. S. A Framework for the Governance of Information Security in Banking System. Journal of Information Assurance & Cybersecurity. IBIMA Publishing. 2011. Vol. 2011.

[178] Tammy L. Clark and Toby D. Stiko. White paper. Information Security Governance. Standardizing the Practice of Information Security. Educause-Center for Applied Research. August 2008. Vol. 2008, issue 17.

[179] Hoesung K. and Seongjin A. Study on developing a security violation response checklist for the improvement of internet security management systems.International Conference on Multimedia and Ubiquitous Engineering (MUE'07). 2007. PP. 1199-1204

[180] Santhi Jeslet D., Sivaraman G., Uma M., Thangadurai K. and Punithavalli M. Survey on Awareness and Security Issues in Password Management Strategies. International Journal of Computer Science and Network Security. April 2010. Vol. 10 No. 4 pp. 19-23.

[181] Mete E., Erdem U. and Saban E. The positive outcomes of information security awareness training in companies – A case study. Human Factors in Information Security. November 2009. Vol. 14, issue 4, pp.175-230

[182] Gary H. The State of IT Auditing in 2007. Edpacs the EDP audit, control and security newsletter. Taylor & Francis. (London).August 2011.

[183] Lincoln D. Stein and John N. Stewart . Client Side Security.W3C-The World Wide Web Security FAQ. W3C Organization. Available at. http.//www.w3.org/Security/faq/wwwsf2.html. Visited on. 7th April, 2011.

[184] Robert K. A., Frederick T. S. and Ali M. Validating Cyber Security Requirements. A Case Study. 44th Hawaii International Conference on System Sciences. 2011. PP. 1-10.

[185] Crawford S.Offloading the security burden. Information security magazine. July/August 2010. Vol. 12. Number 6, PP 26-34.

[186] Shelly, Cashman & Vermaat. Discovering Computers 2007. A Gateway to Information. Thomson. (USA), 2007.

[187] Lincoln D. Stein and John N. Stewart. General Questions. W3C-The World Wide Web Security FAQ. W3C Organization. Available at.




http.//www.w3.org/Security/faq/wwwsf1.html. Visited on. 7th April, 2011.

[188] Ponemon Institute. White paper. State of Web Application Security. Ponemon Institute LLC. April 2010. Available at. http.//www.slideshare.net/jeremiahgrossman/state-of-web-application-security-by-ponemon-institute. Visited on. 7th Jan 2011.

[189] Ron Ben Natan. Implementing Database Security and Auditing. Elsevier digital press. Available at. www.guardium.com. Visited on. 12 August 2011.

[190] National Institute of Standards and Technology. Guide to NIST Information Security Documents. NIST Computer Security Resource Center. (USA). 2009.Available at.http.//csrc.nist.gov/publications/PubsSPs.html. Visited on. 12 August 2011.

[191] Adrian L. Best Practices for Tuning Database Audit Tools. Guardium. (USA). 2010. Available at. http.//pharmacos.imix.co.za/node/94898. Visited on 7th April, 2011.

[192] Jon Oltsik. White Paper. Information Security, Virtualization and the Journey to the Cloud. Enterprise Strategy Group Inc. (USA). August, 2010. Available at. http.//resources.idgenterprise.com/original/AST-0024015_ESG_ information_ security.pdf. Visited on. 7th April 2011.

[193] IBM. White paper. Securing a dynamic infrastructure. (USA). June 2009. Available at. http.//www.ibm.com/smarterplanet/global/ files/gb__en_uk__security_resiliency__securing_a_dynamic_infrastructure.pdf. Visited on. 7th April 2011.

[194] Diana Kelley. and Security Curve. White paper. Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle. (USA). 2009. Available at. http.//viewer.media.bitpipe.com/1033409397_ 523/1268240390_67/White-Paper-3.pdf. Visited on. 7th April 2011.

[195] Search Security Channel. Snort Tutorial. How to use Snort intrusion detection resources. TechTarget Inc. 2010. Available at. http.//searchsecuritychannel.techtarget.com/generic/0,295582,sid97_gci1517363_mem1,00.html?track=NL-676&ad=792857&asrc=EM_NLT_12719757&uid=9554581). Visited on 27 Jul 2010.

[196] Brian E. and Brian Eng. An effective information security program requires ongoing monitoring. TechTarget Inc.2010. Available at. http.//searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1521125_mem1,00.html. Visited on. 08 Oct 2010.

[197] Quest Software Inc. White paper. Defender 5. The Right Way to Prove Identify and Establish Trust. Quest Software Inc. (USA). 2008. Available at.

http.//innovbfa.viabloga.com/files/Quest___Defender_5_The_Right_Way_to_Prove___Identify_and_Establish_Trust.pdf. Visited on. 7th April, 2011.

[198] Safe Net Inc. White Paper. Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization. SafeNet Inc. 2010. Available at. http.//docs.google.com/viewer?a=v&q=cache.e_SZaMhMtVkJ.www.safenet-inc.com/WorkArea/DownloadAsset.aspx%3Fid%3D8589941989+Reducing+PCI+Compliance+Costs+and+Effort+with+SafeNet+Transparent+Tokenization-WHITE+PAPER&hl=ar&gl=eg&pid= bl&srcid=ADGEEShtCftMJutS5VAjYHLpnLRSVuptC3mIJ2ZBQJbhNiYSv5m8wFLSdyZWAm8SkUKfkTtXJstvCLfDzAB0tWehDDwnCviL47aWFn3z9kVEDKxiiLtFZY1fj6S89p_bLAKOqFyTqBLj&sig=AHIEtbSOUzDovdMTxKYpPJmnHS_ptv0E1A. Visited on. 7th April, 2011.

[199] Watch Guard. Technical guide on web application firewall. Watch Guard Technologies Inc. (USA). 2010. Available at. http.//viewer.media.bitpipe.com/1127859424_295/1288878967_864/1110_sS_TechGuide_WAF.pdf. Visited on. 7th April, 2011.

[200] Stephen Q., David W., Christopher J., Karen S. and John B. The Technical Specification for the Security Content Automation Protocol (SCAP).Version 1.1 Draft Recommendations of the National Institute of Standards and Technology. NIST. (USA). May 2010.

[201] Rohit S. and Nish B. Vulnerability test methods for application security assessments. TechTarget Inc. Available at. http.//searchsecurity.techtarget.com/tip/0,289483,sid14_gci1351737_mem1,00.html?mboxConv=searchCIO_RegActivate_Submit&. Visited on 25th March 2009.

[202] Imperva. White paper. The Anatomy of an Insider- Bad Guys Don’t Always Wear Black. Imperva (USA). 2009. Available at. http.//viewer.media.bitpipe.com/1110870796_424/1258049722_424/WP_Anatomy_Insider0809.pdf. Visited on. 7th April, 2011.

[203] Mathew N., Hussein F. and Charles H. An Integrated Security Governance Framework for Effective PCI DSS Implementation. International Journal of Information Security and Privacy (IJISP). 2011. Volume 5, Issue 3,

[204] PCI-Payment Card Industry. Attention of Compliance for Onsite Assessments-Merchants, version 1.2. PCI Security Standards Council LLC. October 2008.

[205] Ponemon Institute. 2011 PCI DSS Compliance Trends Study Survey of IT & IT security practitioners in the U.S. April 2011. Available at. http.//docs.media.bitpipe.com/io_10x/io_100442/item




_417888/AP_Ponemon_2011_PCI_DSS_Compliance_Trends_Study.pdf. Visited on 24 July 2011.

[206] PCI- Security Standards Council. ASV Feedback for Brands and Others, PCI Security Standards Council LLC, version. 1.2. October 2008.

[207] PCI-Payment Card Industry, ASV Client Feedback Form, PCI Security Standards Council LLC, version. 1.2. October 2008.

[208] PCI- Security Standards Council, PCI ASV Compliance Test Agreement, PCI Security Standards Council LLC, version. 1.2. October 2008.

[209] PCI- Security Standards Council. Approved Scanning Vendors-Program Guide Reference 1.0 PCI DSS. PCI Security Standards Council LLC. Version. 1.2. March 2010.

[210] PCI- Security Standards Council.Validation Requirements-For Approved Scanning Vendors (ASV). PCI Security Standards Council LLC. Version. 1.2. October 2008.

[211] Jeff Tutton. Incident response and compliance. A case study of the recent attacks. Information Security Technical Report Elsevier Ltd. November 2010. Volume 15, Issue 4, pp145-149.

[212] PCI- Security Standards Council. Information Supplement. Application Reviews and Web Application Firewalls Clarified. PCI Security Standards Council LLC, version. 1.2. October 2008

[213] PCI- Security Standards Council. Information Supplement. Penetration Testing. PCI Security Standards Council LLC, version. 1.2, March 2008.

[214] Jeff T. Matchmaking between PCI-DSS and Security. Information Security Technical Report. Elsevier Ltd. 2010. Volume 15, Issue 4, pp. 137-166.

[215] PCI- Security Standards Council. Security Audit Procedures. PCI Security Standards Council LLC, version. 1.1. September 2006.

[216] PCI- Security Standards Council. FAQs. PCI Security Standards Council LLC, version. 1.2. October 2008.

[217] PCI- Security Standards Council. Glossary of Terms, Abbreviations, and Acronyms. PCI Security Standards Council LLC, version. 1.2. October 2008.

[218] PCI- Security Standards Council. Self-Assessment Questionnaire-Instructions and Guidelines. PCI Security Standards Council LLC. Version. 1.2. October 2008.

[219] 219. PCI- Security Standards Council. Navigating PCI DSS-Understanding the Intent of the Requirements. PCI Security Standards Council LLC, version. 1.2. October 2008.

[220] PCI- Security Standards Council. Summary of Changes from. PCI Security Standards Council LLC. Version. 1.1 to 1.2. October 2008.

[221] Ming-Yang S. and Sheng-Cheng Y. A study on the prevention of sniffing nodes in mobile ad hoc networks. Security and Communication Networks. John Wiley & Son Ltd (USA). August 2011.Volume 4. Issue 8. Pages. 910–918.

[222] PCI- Security Standards Council. QSA Feedback Form for Payment Brands and Others. PCI Security Standards Council LLC, version. 1.2. October 2008.

[223] PCI- Security Standards Council. QSA Client Feedback Form. PCI Security Standards Council LLC, version. 1.2. October 2008.

[224] PCI- Security Standards Council. Validation Requirements-For Qualified Security Assessors (QSA). PCI Security Standards Council LLC, version. 1.2. October 2008.

[225] PCI- Security Standards Council. QSA Validation Requirements-Supplement for Principal-Associate Qualified Security Assessors. PCI Security Standards Council LLC, version. 1.2. October 2008.

[226] Georges A. Review PCI DSS audit and compliance. Information Security Technical Report. November 2010. Volume 15, Issue 4, pp. 138-144.

[227] Alexander Y. Liu and Dung N. Lam. Using Consensus Clustering for Multi-view Anomaly Detection. IEEE CS on Security and Privacy Workshops. IEEE computer society (USA). 2012. Pages 117 – 124.

[228] Antonietta S., Neeli R. P. and Dimitris M. K. A Threat Analysis Methodology for Security Evaluation and Enhancement Planning. International Conference on Emerging Security Information, Systems and Technologies. 2009. PP. 262-267.

[229] Jung-ho E., Young-Ju H., Seon-Ho Park and Tai-Myoung C. Active Cyber Attack Model for Network Systems Vulnerability Assessment. International Conference on Information Science and Security (ICISS 2008). 2008. PP. 153-158.

[230] Yoshitaka N., Daisuke M., Hiroaki H. and Youki K. An Independent Evaluation of Web Timing Attack and its Countermeasure.International Conference on Availability, Reliability and Security. 2008. PP. 119-1324.

[231] G. Singaravel, V. Palanisamy and A. Krishnan. Adaptive Reusability Risk Analysis Model (ARRA).International Journal of Computer Science and Network Security. Feb 2010. Vol. 10 No. 2, pp. 97-101.

[232] Wei Y., Xun W., Xinwen F., Dong X. and Wei Z. An Invisible Localization Attack to Internet Threat Monitors. IEEE Transactions on Parallel and Distributed Systems. November, 2009. Vol. 20, no. 11, pp. 1611-1625.

[233] Anastasia M. Akram. Watch out for Spies. Ray Publishing & Science. (Syria). 2005.

[234] Kuheli R. S. Assessing insider threats to information security using technical, behavioral and organizational measures. Information Security Technical Report. (UK) August 2010. Volume 15, Issue 3, pp. 112-133.

[235] Claire Elliotta. Botnets. To what extent are they a threat to information security?.Information Security Technical Report. August 2010. Volume 15, Issue 3, pp. 79-103.




[236] Nayot P., Rinku D. and Indrajit R. Dynamic Security Risk Management Using Bayesian Attack Graphs.IEEE Transactions on Dependable and Secure Computing. 2011. Vol. 99, no. 1.

[237] Jeffrey R. J. Estimating Software Vulnerabilities. IEEE Security and Privacy. July/August, 2007. Vol. 5, no. 4, pp. 28-32.

[238] Judith E. Y. R., Scott C. and Paul S. eTVRA, a Threat, Vulnerability and Risk Assessment Method and Tool for eEurope. International Conference on Availability, Reliability and Security. 2007. pp. 925-933

[239] Jeong-Wook K., Hyug-Hyun C., Gil-Jong M., Jae-Hyun S., Bong-Nam N. and Yong-Min K. Experiments and Countermeasures of Security Vulnerabilities on Next Generation Network. Future Generation Communication and Networking. 2007. Volume 1, vol. 2, pp. 559-564.

[240] William W. Mobile telephony security compromises. Information Security Technical Report. August 2010. Volume 15, Issue 3, pp .134-136.

[241] Jeffrey A. I., Dan S., Nancy R. M. and Antonio D. Threat Modeling the Enterprise. Journal of Information System Security. (Information Institute Publishing, Washington DC, USA). 2009. Volume 5, pp. 42–57.

[242] Basuki R., Suhono H. S., Jaka S. and Kridanto S. Threat Scenario Dependency-Based Model of Information Security Risk Analysis. International Journal of Computer Science and Network Security. August 2010.Vol. 10 No. 8, pp. 93-102.

[243] Wes A. Understanding Spyware. Risk and Response. IT Professional. September/October, 2004. Vol. 6, No. 5, pp. 25-29.

[244] Barmak Meftah. One-third are victims of hacking. Electronics Weekly. (USA). Jun 16-22 2010. Iss. 2432, PQ-ID (2071656581), Pages. 8. Available at. http.//proquest.umi.com/pqdweb?RQT=568&VInst=PROD&VName=PQD&VType=PQD&Fmt=3&did=2071656581&TS=1279105018. Visited on. 06 July 2010.

[245] Mohammad E. R., Rasool J. and Hamid M. Vulnerability Analysis through a Graph-based Protection System.International Journal of Computer Science and Network Security. Dec 2006. Vol. 6, No. 12, pp. 311-319.

[246][247] Zhanshan Sam Ma. Frailty modelling for risk

analysis in network security and survivability. International Journal of Information and Computer Security. 2011. Vol. 4, No.3, pp. 276 - 294.

[248] Arash B., Kiyana Z. and Shahriar M. A framework for cyber war against international terrorism. International Journal of Internet Technology and Secured Transactions. 2011. Vol. 3, No.1, pp. 29 – 39.

[249] Sami R. A look at Portable Document Format vulnerabilities. Information Security Technical Report. (Stonesoft Corporation, Finland). February 2009. Volume 14, Issue 1, pp 30-33.

[250] A. Bhattarai and D. Dasgupta. A Self-Supervised Approach to Comment Spam Detection Based on Content Analysis. International Journal of Information Security and Privacy (IJISP).(USA). 2011. Volume 5, Issue 1.

[251] Norman P. and Mark R. A Simulation of Various Variable Hacker Populations. International Conference on Computational Science and Engineering. 2009. Vol. 3, pp. 504-510.

[252] Aggeliki T., Maria K., Spyros K. and Evangelos K. Aligning Security Awareness with Information Systems Security Management. Journal of Information System Security. Information Institute Publishing (Washington DC, USA). 2010. Volume 6, No.1, pp. 36–54.

[253] Lydia R. and Jianhua Y. Beyond the Security Track. Embed Security Education across Undergraduate Computing Curricula Using M-Thread Approach. International Journal of Computer Science and Network Security. August 2011. Vol. 11, No. 8, pp. 131-137.

[254] Thaier H., Razvi D., Prashant K. and David T. Source—destination obfuscation in wireless adhoc networks.Security and Communication Networks.John Wiley & Son Ltd (USA). August 2011.Volume 4. Issue 8. Pages. 888–901.

[255] Alessandro A. and Alessandra D. P. Estimating the maximum information leakage. International Journal of Information Security. October 2007. Volume 7, No. 3, pp. 219-242.

[256] David Geer. Hackers Get to the Root of the Problem. Computer. (IEEE Computer Society, USA). May 2006. Vol. 39, No. 5, pp. 17-19.

[257] Gregory C., Thomas B. and John N. Hacking Competitions and Their Untapped Potential for Security Education. IEEE Security and Privacy. (IEEE Computer Society, USA). 2011. Vol. 9, no. 3, pp. 56-59.

[258] Michelle Kincaid. Cyber Attacks Can Be Prevented. Business Wire. (USA). July, 2010. Pages. 202 – 207. ProQuest ID. 2065572291. Available on. http.//proquest.umi.com/pqdweb?RQT=568 & VInst=PROD&VName=PQD& VType=PQD&Fmt=3&did= 2065572291&TS=1279104642. Visited on. 06 July 2010.

[259] 258. Kim-K. and Raymond C. High tech criminal threats to the national information infrastructure.Information Security Technical Report. (Australia). August 2010. Volume 15, Issue 3, pp 104-111. 259. Wang, P., Wu, L., Cunningham, R. and Zou, C.C. Honeypot detection in advanced botnet attacks.




Int. J. Information and Computer Security. 2010. Vol. 4, No. 1, pp.30–51.

[260] 260. Carl C. Human Factors in Information Security. The insider threat – Who can you trust these days. Information Security Technical Report. (UK). November 2009. Volume 14, Issue 4, pp 186-196. 261. Peter O. and Thomas J. O. On the Anatomy of Human Hacking. Information Systems Security. (Taylor & Francis Group, UK). Nov/Dec 2007. Vol. 16, Iss. 6, pp. 302-314.

[261] 262. Benoît D., Stefan B., Kieran M. and Sakir S.Analysis of information leakage from encrypted Skype conversation. International Journal of Information Security.2010. Volume 9, No. 5, pp. 313-325.

[262] 263. Mcafee. Information on how to spot holiday-related scams. Mcafee Incorporation. Available at. https.//mail.google.com/mail/?hl=en&shva =1#inbox/12f6fb23b7a545af. Visited on. 20th Apr 2011

[263] 264. William W. Mobile telephony security compromises.Information Security Technical Report. (UK). August 2010. Volume 15, Issue 3, pp. 134-136.

[264] 265. D. D. Hwang, Shenglin Yang, I. Verbauwhede and P. Schaumont. Multilevel design validation in a secure embedded system. IEEE International High-Level Design, Validation, and Test Workshop. 2005. Pages 203-210.

[265] 266. Xinwen Fu, Wei Yu, Dan Cheng, Xuejun Tan, Kevin Streff and Steve Graham. On Recognizing Virtual Honeypots and Countermeasures. IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'06). 2006. Pages 211-218.

[266] 267. Cazier, J. A. and C. M. Botelho. Password Collection through Social Engineering. An Analysis of a Simulated Attack. Journal of Information System Security. (Information Institute Publishing, Washington DC, USA). 2010. Pages 53–70.

[267] 268. Sameera M. and Jill S. Protecting clients from insider attacks on trust accounts.Information Security Technical Report. (Australia). November, 2009. Volume 14, Issue 4, pp. 175-230.

[268] 269. Ian McLoughlin. Secure Embedded Systems. The Threat of Reverse Engineering. IEEE International Conference on Parallel and Distributed Systems. 2008. Pages 729-736.

[269] 270. Gary Hinson. Social Engineering Techniques, Risks, and Controls. The EDP Audit, Control, and Security News Letter.(Taylor & Francis Group, UK). April-May 2008. Volume. XXXVII, Iss. 4-5, pp. 32-46.

[270] 271. Jangbok K., Kihyun C. and Kyunghee C. Spam Filtering With Dynamically Updated URL

Statistics. IEEE Security and Privacy. July/August, 2007. vol. 5, no. 4, pp. 33-39.

[271] 272. Robert E. C. and France B. The Effects of Security Education Training and Awareness Programs and Individual Characteristics on End User Security Tool Usage.Journal of Information System Security. (Information Institute Publishing, Washington DC, USA). 2009. Volume 5, No. 3, pp. 3–22.

[272] 273. Rachana D. What the hack. Tribune Business News. (USA). July, 2010. ProQuest ID. 2069944001. Available on. http.//proquest.umi.com/pqdweb?RQT=568&VInst=PROD&VName=PQD&VType=PQD&Fmt=3&did=2069944001&TS=1279104520. Visited on. 06 July 2010.

[273] 274. Donghwi Lee, Won Hyung Park and Kuinam J. Kim. A Study on Analysis of Malicious Codes Similarity Using N-Gram and Vector Space Model.International Conference on Information Science and Applications, 2011. Pages 1-4.

[274] 275. Martin R. Stytz and James A. Whitaker. Software Protection. Security’sLast Stand? IEEE Security & Privacy.Vol 1, Issue 1. (USA). 2003. Pages. 95-98.

[275] 276. David E. Bakken, Rupa Parameswaran, Douglas M. Blough, Ty J. Palmer,and Andy A. Franz. Data Obfuscation. Anonymity and Desensitization ofUsable Data Sets. IEEE Security & Privacy. Vol 2, Issue 6. (USA). 2004. Pages. 34-41.

[276] 277. Vivek Balachandran and Sabu Emmanuel. Software Code Obfuscation by Hiding Control Flow Information in Stack. IEEE Workshop on Information Forensics and Security (WIFS). 2011. Pages. 1-6.

[277] 278. Tang Jiutao and Lin Guoyuan. Research of Software Protection. International Conf. on Educational and network Technology (ICENT). 2010. Pages. 410-413

[278] 279. Oliver Brdiczka, Juan Liu, Bob Price, Jianqiang Shen, Akshay Patil, Richard Chow, Eugene Bart, and Nicolas Ducheneaut. Lam. Proactive Insider Threat Detection through Graph Learning and Psychological Context. IEEE CS on Security and Privacy Workshops. IEEE computer society (USA). 2012. Pages 142 - 149.

[279] 280. Fred Cohen. Forensic Methods for Detecting Insider Turning Behaviors. IEEE CS on Security and Privacy Workshops. IEEE computer society (USA). 2012. Pages 150 - 158.

[280] 281. Alhazmi, O.H., Malaiya Y.K. and Ray I. Measuring, analyzing and predicting security vulnerabilities in software systems. Computers and Security.(Elsevier B.V., USA). May, 2007. Volume 26, Issue 3, pp. 219-228.

[281] 282. Tang, Zaiyong, Bagchi, Kallol, Jain and Anurag. An Agent Based Model for Exploring Internet Hacking Trend. (2009).AMCIS. 2009.




Available on. http.//aisel.aisnet.org/amcis2009/231. Visited on. 15 August 2011.

[282] 283. Sanjay R. and Ashutosh S. Application security code analysis. a step towards software assurance.International Journal of Information and Computer Security. (India). 2009. Vol. 3, No., pp. 86 - 110.

[283] 284. Ahmad R. A., Raphael C-W. Phan, David J. P. and John N. W. Evidential structures and metrics for network forensics. International Journal of Internet Technology and Secured Transactions. (UK). 2010. Vol. 2, No.3/4, pp. 250 – 270.

[284] 285. Lyes K., Yacine C., Abdelmadjid B. and Nadjib B.On security issues in embedded systems. challenges and solutions.International Journal of Information and Computer Security. 2008. Vol. 2, No.2, pp. 140 – 174.

[285] 286. PCI- Security Standards Council. Attestation of Compliance for Onsite Assessments – Service Providers. PCI Security Standards Council LLC, version. 1.2. October 2008.

[286] 287. André M. Matchmaking between PCI-DSS and Security. Information Security Technical Report. November 2010. Volume 15, Issue 4, pp. 137-166.

[287] 288. Lang Spitzner. It's your fault - Security Awareness. Information Security Magazine. October, 2010. Vol. 12. Number 8, pp. 47-51.

[288] 289. Xiao J., Yanming W. and Zhiyu H. A Malware Sample Capturing and Tracking System.World Congress on Software Engineering.December, 2010. Pages 69-72.

[289] 290. Corrado L. and Marc D. SGNET. A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models.European Dependable Computing Conference. May, 2008. Pages 99-109.

[290] 291. Julia N., Chiraag A., Barbara E. P., Christian S., Ashish M. and Doug N. Assessment of Virtualization as a Sensor Technique. IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering. May 2010. Pages 61-65.

[291] 292. Andreas M., Christopher K. and Engin K. Exploring Multiple Execution Paths for Malware Analysis.IEEE Symposium on Security and Privacy. May, 2007. Pages. 231-245.

[292] 293. Guido S., Engin K., Paolo M. C., Stefano Z., Clemens K. and Christopher K. Identifying Dormant Functionality in Malware Programs. IEEE Symposium on Security and Privacy. May, 2010. Pages 61-76.

[293] 294. Michel C. The client side – Patch Management. Information Security. March, 2011. Pages 37- 42.

[294] 295. Stefano Z. Observing the Tidal Waves of Malware. Experiences from the WOMBAT Project. International Conference on Information

Technology for Real World Problems. December 2010. Pages 30-35.

[295] 296. Amit V. MalTRAK. Tracking and Eliminating Unknown Malware. Computer Security Applications Conference. December 2008. Pages 311-321.

[296] 297. LingYun Z. VMM-Based Framework for P2P Botnets Tracking and Detection. International Conference on Information Technology and Computer Science. July, 2009. Pages. 172-175.

[297] 298. Richard E. and Mackey, JR. Sizing Up Risk. Information Security. March, 2011. Pages 28- 35.

[298] 299. Afolabi O. Richard, Aftab A. and Kim K. Security assessments of IEEE 802.15.4 standard based on X.805 framework.International Journal of Security and Networks. (Korea). 2010. Vol. 5. No.2/3, pp. 188 - 197.

[299] 300. Dharmendra C., Umesh K. S. and Dimitris K. An intelligent anti-phishing solution. password-transaction secure window. International Journal of Internet Technology and Secured Transactions. Greece, 2011. Vol. 3, No.3, pp. 279 - 292.

[300] 301. Huajun H., Shaohong Z. and Junshan T. Browser-Side Countermeasures for Deceptive Phishing Attack.International Conference on Information Assurance and Security. 2009. Vol. 1, pp. 352-355

[301] 302. Huajun H., Junshan T. and Lingxi L. Countermeasure Techniques for Deceptive Phishing Attack.International Conference on New Trends in Information and Service Science. 2009. Pages 636-641.

[302] 303. Bob M., Mason B., Alan P. and Dennis K. CWE/SANS Top 25 Most Dangerous Software Errors. The MITRE Corporation. June 29, 2011. Available at. http.//cwe.mitre.org/top25/

[303] 304. Tunitas Group. Healthcare Industry Best Practices for Securing Email. August 2003. Available at. http.//www.tunitas.com/content/downloads/papers/Email%20Security %20Best%20Practices.PDF. Visited on. 12 March 2011.

[304] 305. Mo Li, Xiaoye J., and Leonidas G. Fingerprinting Mobile User Positions in Sensor Networks. Attacks and Countermeasures. IEEE Transactions on Parallel and Distributed Systems. (IEEE Computer Society,USA). 2011. Vol. 99, no. 1.

[305] 306. Nicole Lang Beebe and Jan Guynes Clark. A Model for Predicting Hacker Behavior. Journal of Information System Security. (Information Institute Publishing, Washington DC, USA). 2007. Volume 3, Number 3. Pages 3–20.

[306] 307. Thomas G. Zimmerman. Hacking in Industrial Research and Development. EEE Pervasive Computing. July-September, 2008. Vol. 7, no. 3, pp. 16-23.

[307] 308. Joseph A. Paradiso, John H. and Thomas G. Zimmerman. Hacking Is Pervasive. IEEE Pervasive




Computing. September 2008. Vol. 7, no. 3, pp. 13-15.

[308] 309. Neville H. In Defense of Spam. Computer. April 2005. Vol. 38, no. 4, pp. 88, 86-87.

[309] 310. Norman S. Metrics for Mitigating Cybersecurity Threats to Networks. IEEE Internet Computing. January/February. 2010. Vol. 14, no. 1, pp. 64-71.

[310] 311. Min-Hua S. An Approach to Security and Privacy of RFID Systems in Anti-Desynchronization. International Journal of Computer Science and Network Security. April 2010. Vol. 10, No. 4, pp. 40-44.

[311] 312. Dominik B., Sebastian G., Felix G. and Ahmad-Reza S. Phishing Phishers - Observing and Tracing Organized Cybercrime. InternationalConference on Internet Monitoring and Protection (ICIMP 2007). 2007. Pages 3.

[312] 313. Malliga, S. and Tamilarasi, A. A backpressure technique for filtering spoofedtraffic at upstream routers. International Journal of Security and Networks. 2010. Vol. 5, No. 1, pp. 3–14.

[313] 314. IEEE. A Distributed Vulnerability Detection System for WLANs. International Conference on Wireless Internet (WICON'05). (IEEE Computer Society, Los Alamitos, CA, USA). 2005. pp. 86-93.

[314] 315. Mario K., Marin G. and Stjepan G.A method for identifying Web applications. International Journal of Information Security. 2009. Volume 8, Number 6, pp. 455-467.

[315] 316. Enterprise Management Associates (EMA). Trend Micro’s End-to-End Vulnerability Management. A New Approach to Layered Security. 2010. Available at. http.//docs.media.bitpipe.com/io_25x/io_25910/item_402520/ EMA_ TrendMicro-VulnerabilityMgmt-1210_WP.pdf. Visited on 12 July 2011.

[316] 317. Thawatchai C. HTTPS Hacking Protection. International Conference on Advanced Information Networking and Applications Workshops (AINAW'07). 2007. Vol. 1, pp. 590-594.

[317] 318. Frederik Armknecht, Roel Maes, Ahmad-Reza Sadeghi, François-Xavier Standaert, and Christian Wachsmann. A Formal Foundation for the Security Features of Physical Functions. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 397 – 412.

[318] 319. Lieven D., Pierre V., Wouter J. and Frank P. Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies.IEEE Transactions on Software Engineering. January, 2008. Vol. 34, no. 1, pp. 50-64.

[319] 320. Robert W.Software code analysis firm gives security vendors poor marks. TechTarget. (USA).Apr, 20 2011. Available at. http.//searchsecurity.techtarget.com/news/224003491

7/Software-code-analysis-firm-gives-security-vendors-poor-marks?asrc=EM_NLN_13703659 &track=NL-102&ad=827068. Visited on 10 August 2011.

[320] 321. Robert W. Attackers zero in on Web application vulnerabilities. TechTarget. Available at. http.//searchsecurity.techtarget.com/magazineFeature/ 0,296894,sid14_gci1380358_mem1,00.html. Visited on 10 August 2011.

[321] 322. George S. Oreku, Jianzhong Li and Fredrick J. M. A framework towards enhancing trust and authorisation for e-commerce service. International Journal of Internet Technology and Secured Transactions. (Ireland). 2009. Vol. 1, No.3/4, pp. 173 – 202.

[322] 323. Slim K., Anis C., Mira M., Mohamed J. and Andreas S. A holistic approach for access control policies. from formal specification to aspect-based enforcement. International Journal of Information and Computer Security. (Germany). 2009. Vol. 3, No.3/4, pp. 337 – 354.

[323] 324. Huaqiang W., Jim Alves-Foss, Terrence S., Hugh P., Du Zhang and Deborah F. A Layered Decision Model for cost-effective system security. International Journal of Information and Computer Security. (USA). 2008. Vol. 2, No. 3 pp. 297 – 324.

[324] 325. Natalia S., Samik B. and Johnny W. A taxonomy of intrusion response systems.International Journal of Information and Computer Security. (USA). 2007. Vol. 1, No.1/2, pp. 169 - 184.

[325] 326. Vijayalakshmi A., Qi Guo, Heechang S. and Jaideep V.A unified index structure for efficient enforcement of spatiotemporal authorizations. International Journal of Information and Computer Security. (USA). 2010. Vol. 4, No.2, pp. 118.

[326] 327. Benjamin U. and Johnny S. Wong. An agent-based framework for intrusion detection alert verification and event correlation. International Journal of Security and Networks. (USA). 2008. Vol. 3, No.3, pp. 193 - 200.

[327] 328. Sookyoung L. and Krishna M. Sivalingam. An efficient One-Time Password authentication scheme using a smart card. International Journal of Security and Networks. (India). 2009. Vol. 4, No.3, pp. 145 – 152.

[328] 329. P. Venkataram, Jeremy Pitt, B. Sathish Babu and E. Mamdani. An intelligent proactive security system for cyber centres using Cognitive Agents. International Journal of Information and Computer Security. (UK). 2008. Vol. 2, No.3, pp. 235 - 249.

[329] 330. Nora C. B., Frederic C., Fabien A. and Herve D. An ontology-based approach to react to network attacks. International Journal of Information and Computer Security. (France). 2009. Vol. 3, No.3/4, pp. 280 - 305.

[330] 331. García T., P.a, Díaz V., J.a, Maciá F., G.a and Vázquez, E.b. Anomaly-based network intrusion detection. Techniques, systems and




challenges.Computersand Security. February 2009. Volume 28, Issue 1-2, Pages 18-28.

[331] 332. Brian S. and Owen M. Creating and enforcing access control policies using description logic techniques. International Journal of Internet Technology and Secured Transactions. (Ireland). 2011. Vol. 3, No.3, pp. 253 - 278.

[332] 333. Nitesh S. and Jonathan V. Data remanence effects on memory-based entropy collection for RFID systems.International Journal of Information Security. 2011. Volume 10, Number 4, pp. 213-222.

[333] 334. Clara B. and Maribel F. Distributed event-based access control. International Journal of Information and Computer Security. (UK). 2009. Vol. 3, No.3/4, pp. 306 – 320.

[334] 335. Tsai, J.Efficient multi-server authentication scheme based on one-way hash function without verification table.Computers and Security. May 2008. Volume 27, Issue 3-4, pp. 115-121.

[335] 336. Adel B., Zouheir T., Ezedin B. and Mohammed-Anis B. Firewall filtering rules analysis for anomalies detection.International Journal of Security and Networks. 2008. Vol. 3, No.3, pp. 161 - 172.

[336] 337. Haiping X., Mihir A. and Abhinay R. Formal modelling and analysis of XML firewall for service-oriented systems.International Journal of Security and Networks. (USA). 2008. Vol. 3, No.3, pp. 147 - 160.

[337] 338. Mahmoud Al-Qutayri, Chan YeobYeun and Khalifa B. Framework for secure wireless health monitoring and remote access system.International Journal of Internet Technology and Secured Transactions. 2010. Vol. 2, No.3/4, pp. 380 – 398.

[338] 339. Lili Y. and S.H. Y. framework of security and safety checking for internet-based control systems. International Journal of Information and Computer Security. (UK). 2007. Vol. 1, No.1/2, pp. 185 - 200.

[339] 340. Chien-Chuan L. and Ming-Shi W. Genetic-clustering algorithm for intrusion detection system. International Journal of Information and Computer Security. (Taiwan). 2008. Vol. 2, No.2, pp. 218 - 234.

[340] 341. Vijayalakshmi A. and Soon Ae C. A geotemporal role-based authorization system.International Journal of Information and Computer Security. (USA). 2007. Vol. 1, No.1/2, pp. 143 - 168.

[341] 342. Alex B., Michael S., Matthew C. and Joseph Z., A case study in hardware Trojan design and implementation.International Journal of Information Security.Sep 2010. Volume 10, Number 1, pp. 1-14.

[342] 343. Mouza Ahmad B. S., Chan Yeob Y. and Mohamed Jamal Z. Lightweight mutual authentication protocol for securing RFID applications.International Journal of Internet

Technology and Secured Transactions. 2010. Vol. 2, No.3/4, pp. 205 – 221.

[343] 344. Lumension Endpoint Security. White Paper. Minimizing your insider risk by controlling USB devices and encrypting data. Lumension Incorporation. Available at. http.//portal.lumension.com. Visited on. 09 July 2011.

[344] 345. Prashant D., Partha D. and Amiya B. Mitigating routing vulnerabilities in ad hoc networks using reputations. International Journal of Information and Computer Security. (USA). 2009. Vol. 3, No.2, pp. 150 - 172.

[345] 346. Kun P., Ed Dawson and Feng B. Modification and optimization of a shuffling scheme. stronger security, formal analysis and higher efficiency. International Journal of Information Security. Sep 25, 2010. Volume 10, Number 1, pp. 33-47.

[346] 347. G. Engels, L. P. J. Groenewgen and G. Kappel. Object-Oriented Specification of coordinated collaboration. Dept. of Computer Science, Leiden University. (Netherlands). Available at. http.//www.citeseerx.ist.psu.edu.Visited on. 14/Dec/ 2009.

[347] 348. Lishoy F., Gerhard H., Keith M. and Konstantinos M. On the security issues of NFC enabled mobile phones. International Journal of Internet Technology and Secured Transactions. (UK). 2010. Vol. 2, No.3/4, pp. 336 - 356.

[348] 349. Amitabh S. and Ben S. One-Way Signature Chaining. a new paradigm for group cryptosystems. International Journal of Information and Computer Security. (Australia). 2008. Vol. 2, No.3, pp. 268 - 296.

[349] 350. Adin S., Alexander V., Anthony L. and Eyal De Lara. Proximity-based authentication of mobile devices.International Journal of Security and Networks. (Canada). 2009. Vol. 4, No.1/2, pp. 4 - 16.

[350] 351. Awasthi, A.K. Remarks on the security of the strong proxy signature scheme with proxy signer privacy protection. International Journal Information and Computer Security. 2010. Vol. 4, No. 1, pp.24–29.

[351] 352. Satish N. S., Matthias J. and Wolfgang P. Security analysis of mobile web service provisioning.International Journal of Internet Technology and Secured Transactions. (Germany). 2007. Vol. 1, No.1/2, pp. 151 - 171.

[352] 353. Monia L., Mohamed J. and Mohamed M. Dynamic security framework for mobile agent systems. specification, verification and enforcement. International Journal of Information and Computer Security. (France). 2009. Vol. 3, No.3/4, pp. 321 - 336.

[353] 354. Ioannis M., Andreas M., Ioannis P., Isabella K. and Christos I. Supporting dynamic




administration of RBAC in web-based collaborative applications during run-time. International Journal of Information and Computer Security. (Greece). 2008. Vol. 2, No.4, pp. 328 - 352.

[354] 355. John C. G., Andrew F. T. and James M. Token-based graphical password authentication. International Journal of Information Security. Oct, 2011.

[355] 356. Ray, I. and Kumar, M. Towards a location-based mandatory access control model. Computers and Security. February 2006. Volume 25, Issue 1, Pages 36-44.

[356] 357. Lanier W., Raheem B. and Cherita C.Using link RTT to passively detect unapproved wireless nodes.International Journal of Security and Networks. (USA). 2009. Vol. 4, No.3, pp. 153 - 163.

[357] 358. Barry A. C., Casey G. C. and Chetan S. Sankar. An Exploratory Delphi Study among Small Business Executives on Adoption of Disaster Recovery Practices. Journal of Information System Security. (Information Institute Publishing, Washington DC, USA). 2009. Volume 5, Number 1, pp. 61–87.

[358] 359. A. Chakraborty, M.K. Garg, A.K. Majumdar and S. Sural. Attack recovery from malicious transactions in distributed database systems. International Journal of Information and Computer Security. (India). 2008. Vol. 2, No. 2, pp. 197 – 217.

[359] 360. Francis Hsu, Hao Chen, Thomas Ristenpart, Jason Li and Zhendong Su. Back to the Future. A Framework for Automatic Malware Removal and System Repair.Annual Computer Security Applications Conference (ACSAC'06). 2006. Page. 257 - 268.

[360] 361. Grant Williams. Case Study. Crisis Management. When Disaster Strikes, Have a Plan. Then Change It As Needed. NYC& Co. (New York, USA). Nov 13, 2006. Vol. 62,Iss. 44.ProQuest ID. 1161451941. Available on. http.//proquest.umi.com/ pqdweb?RQT=568&VInst=PROD&VName=PQD& VType=PQD&Fmt=3&did=1161451941. Visited on. 07 August 2010.

[361] 362. Michael Ste. M. Do You Have a Disaster Recovery Plan?.Information Security Journal. A Global Perspective. (Taylor & Francis, UK). Mar, 2010. Vol. 19, Iss.1, pp. 1-3.

[362] 363. George A. and Sokratis K. Disaster Recovery Plan Activities into the System Development Life Cycle.Journal of Information System Security. (Information Institute Publishing, Washington DC, USA). 2010. Volume 6, Number 1, pp. 20–35.

[363] 364. Aggelinos, George, Katsikas, and Sokratis. Integrating Disaster Recovery Plan Activities Into The System Development Life Cycle. MCIS. 2009. Paper 76. http.//aisel.aisnet.org/mcis2009/76.

[364] 365. Jack Danahy. White paper. IBM Smarter software for smarter planet. IBM Corporation. (USA). June 2009. Available at.

ftp.//public.dhe.ibm.com/ software/info/ibmsoftware. Visited on. 7th April 2010.

[365] 366. WenJie W., Yufei Y. and Norm A. A Contextual Framework for Combating Identity Theft. IEEE Security and Privacy. March/April, 2006. Vol. 4, no. 2, pp. 30-38.

[366] 367. Wang, J. and Smith, G.L., A cross-layer authentication design for secure video transportation in wireless sensor, network. International Journal of Security and Networks. 2010. Vol. 5, No. 1, pp.63–76.

[367] 368. Kyungroul L., Wansoo K., Kwangjin B. and Kangbin Y. A Solution to Protecting USB Keyboard Data.International Conference on Broadband, Wireless Computing, Communication and Applications. 2010. Pages. 108-111.

[368] 369. Andy J. and T. Martin. Digital forensics and the issues of identity. Information Security Technical Report. May 2010. Volume 15, Issue 2, Pages 67-71.

[369] 370. Chunsheng Liu and Yu Huang. Effects of Embedded Decompression and Compaction Architectures on Side-Channel Attack Resistance. IEEE VLSI Test Symposium (VTS'07). 2007. Page 461-468.

[370] 371. Ali Al Shidhani and Victor C.M. Leung. Fast and Secure Reauthentications for 3GPP Subscribers during WiMAX-WLAN Handovers. IEEE Transactions on Dependable and Secure Computing. September/October, 2011. Vol. 8, no. 5, pp. 699-713.

[371] 372. Pranab M., Sudeep S. and Rangachar K. From Scores to Face Templates. A Model-Based Approach.IEEE Transactions on Pattern Analysis and Machine Intelligence. December, 2007. Vol. 29, no. 12, pp. 2065-2078.

[372] 373. Chenjia W., Kevin P. M. and Weisong Shi. HACK. A Health-Based Access Control Mechanism for Dynamic Enterprise Environments.International Conference on Computational Science and Engineering. 2009. Vol. 2, pp. 795-801.

[373] 374. Salvatore J. Stolfo, Malek Ben Salem, and Angelos D. Keromytis. Fog Computing. Mitigating Insider Data Theft Attacks in the Cloud. IEEE CS on Security and Privacy Workshops. IEEE computer society (USA). 2012. Pages 125 – 128.

[374] 375. Jonathan Voris, Nathaniel Boggs, and Salvatore J. Stolfo. Lost in Translation. Improving Decoy Documents via Automated Translation. IEEE CS on Security and Privacy Workshops. IEEE computer society (USA). 2012. Pages 129 - 133.

[375] 376. Kyungroul L. and Kangbin Y. Keyboard Security. A Technological Review. International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. 2011. Pages 9-15.

[376] 377. Guoqiang S. and David L. Minutiae. A Formal Methodology for Accurate Protocol Fingerprinting. IEEE Workshop on Secure Network Protocols. 2007. Pages 1-6.




[377] 378. Laszlo G. and SandorImre. Novel quantum information solution to copy-protection and secured authentication. International Journal of Internet Technology and Secured Transactions. (Hungary). 2011. Vol. 3, No.1, pp. 40 – 62.

[378] 379. S.M. Furnell. Online identity. Giving it all away.Information Security Technical Report. May 2010. Volume 15, Issue 2, Pages 42-46.

[379] 380. Alin D., Richard H., AvinashV. and Kevin K. Z. Policy-aware sender anonymity in location based services.International Conference on Advanced Information Networking and Applications (AINA'06). 2010. Volume 1, pp. 133-144.

[380] 381. Yanjun Z. Prompt damage identification for system survivability.International Journal of Information and Computer Security. (USA). 2008. Vol. 2, No.4, pp. 411 - 433.

[381] 382. Paolo F., Riccardo S. and Mario B. Remote Trust with Aspect-Oriented Programming. International Conference on Advanced Information Networking and Applications (AINA'06). 2006. Volume 1, pp. 451-458.

[382] 383. Ileana B., Bas B., Jeroen D., Pieter H. Hartel and Raymond N.J. V. Secure pairing with biometrics.International Journal of Security and Networks. (USA). 2009. Vol. 4, No.1/2, pp. 27 – 42.

[383] 384. Nick Lewis. Secure tokens. Preventing two-factor token authentication exploits. TechTarget. 2011. Available at. http.//searchsecurity. techtarget.com/tip/Secure-tokens-Preventing-two-factor-token-authentication-exploits?asrc=EM_NLT_14569121&track=NL-427&ad=842781&. Visited on. 15 August 2011.

[384] 385. S. Tripathy and S. Nandi. Secure user-identification and key distribution scheme preserving anonymity.International Journal of Security and Networks. (Guwahati). 2008. Vol. 3, No.3, pp. 201 – 205.

[385] 386. Kjell J. H., Erlend D. and Per Thorsheim. Securing Wi-Fi Networks. Computer. July, 2005. Vol. 38, no. 7, pp. 28-34.

[386] 387. Supriya M. and Sushila M. Shielding against SQL Injection Attacks Using ADMIRE Model.International Conference on Computational Intelligence, Communication Systems and Networks . 2009. Pages. 314-320.

[387] 388. Marc L., and Günter K. Social networking and the risk to companies and institutions.Information Security Technical Report. May 2010. Volume 15, Issue 2, pp. 51-56.

[388] 289. Wael K., Nora C. B., Frédéric C., Samuel D. and Antony M. Success Likelihood of Ongoing Attacks for Intrusion Detection and Response Systems. International Conference on Computational Science and Engineering. 2009. Vol. 3, pp. 83-91.

[389] 390. D. SanthiJeslet, G.Sivaraman, M. Uma, K.Thangadurai and M.Punithavalli. Survey on Awareness and Security Issues in Password

Management Strategies. International Journal of Computer Science and Network Security. April 2010. Vol. 10, No. 4, pp. 19-23.

[390] 391. Karen L. Ö. The art of alchemy. Information Security Technical Report. May 2010. Volume 15, Issue 2, pp. 47-50.

[391] 392. Xiaoli L., Pavol Z., Ron R. and Dale L. Threat Modeling for CSRF Attacks. International Conference on Computational Science and Engineering. 2009. Vol. 3, pp. 486-491.

[392] 393. Randall Gamby. SMS two-factor authentication for electronic identity verification. TechTarget. 2011. Available at. http.//searchsecurity. techtarget.com/tip/SMS-two-factor-authentication-for-electronic-identity-verification. Visited on. 15 August 2011.

[393] 394. Serge C., and Damien S. Smart cards and remote computing. Interaction or convergence?.Information Security Technical Report. May 2009. Volume 14, Issue 2, pp. 101-110.

[394] 395. Tony B. Smart card security evaluation. Community solutions to intractable problems.Information Security Technical Report. May 2009. Volume 14, Issue 2, pp. 57-69.

[395] 396. Xuefei L. Smart card applications and security. Information Security Technical Report. May 2009. Volume 14, Issue 2, Pages 36-45.

[396] 397. Konstantinos M., Keith M., Damien S. and Ioannis G. A. Overview of Security Threats for Smart Cards in the Public Transport Industry.IEEE International Conference on e-Business Engineering. 2008. Pages 506-513.

[397] 398. Damien S. Multiapplication smart card. Towards an open smart card?.Information Security Technical Report. May 2009. Volume 14, Issue 2, pp. 70-78.

[398] 399. Konstantinos M., Michael T., Gerhard H., Ioannis A., and Keith M. Attacking smart card systems. Theory and practice.Information Security Technical Report. May 2009. Volume 14, Issue 2, Pages 46-56.

[399] 400. T. Abbes, A. Bouhoula and M. Rusinowitch. Efficient decision tree for protocol analysis in intrusion detection. International Journal of Security and Networks. (France). 2010. Vol. 5, No.4, pp. 220 – 235.

[400] 401. Zhenyun Z., Ying Li and Zesheng C. Enhancing Intrusion Detection System with proximity information. International Journal of Security and Networks. (USA). 2010. Vol. 5, No.4, pp. 207 – 219.

[401] 402. Andrew L. B., Michael D., Indrajit R., Ramakrishna T. and Hailin W. Origins. an approach to trace fast spreading worms to their roots.International Journal of Security and Networks. (USA). 2008. Vol. 3, No.1, pp. 36 – 46.

[402] 403. Guillaume H., Valerie V. T. T., Ludovic M. and Benjamin M.Policy-based intrusion detection in




web applications by monitoring Java information flows.International Journal of Information and Computer Security. (France). 2009. Vol. 3, No.3/4, pp. 265 – 279.

[403] 404. Joshua O. N. Understanding the decision rules for partitioning logs of intrusion detection systems (IDS).International Journal of Internet Technology and Secured Transactions. (UK). 2011. Vol. 3, No.3, pp. 293 – 309.

[404] 405. Wei L. and Issa T. Unsupervised anomaly detection using an evolutionary extension of k-means algorithm. International Journal of Information and Computer Security. (Canada). 2008. Vol. 2, No.2, pp. 107 – 139.

[405] 406. Rajesh K. T. and G. Sahoo. A novel steganographic methodology for high capacity data hiding in executable files. International Journal of Internet Technology and Secured Transactions. (India). 2011. Vol. 3, No.2, pp. 210 – 222.

[406] 407. Dang N. D., Divyan M. K., Hyunrok L. and Kwangjo K. A survey on RFID security and provably secure grouping-proof protocols.International Journal of Internet Technology and Secured Transactions. (Korea). 2010. Vol. 2, No.3/4, pp. 222 – 249.

[407] 408. Defa H. and Qiaoliang L. Bandwidth efficient asymmetric fingerprinting based on one-out-of-two oblivious transfer. International Journal of Information and Computer Security. (China). 2010. Vol. 4, No.2, pp. 152 – 163.

[408] 409. Wayne A. Jansen. Cloud Hooks. Security and Privacy Issues in Cloud Computing. 44th Hawaii International Conference on System Sciences. 2011. Pages 1-10.

[409] 410. Abdelrahman D. Comprehensive linguistic steganography survey. International Journal of Information and Computer Security. (USA). 2010. Vol. 4, No.2, pp. 164 - 197.

[410] 411. Edgar A. W. Informational privacy, consent and the “control” of personal data. Information Security Technical Report. August 2009. Volume 14, Issue 3, pp. 154-159.

[411] 412. Xiaoxun S., Hua W., Jiuyong L. and Yanchun Z. Injecting purpose and trust into data anonymisation. Science Direct. (Australia). June 7, 2011. Available at. http.//www.sciencedirect.com/science?_ob=ShoppingCartURL&_method=add&_eid=1-s2.0-S0167404811000666&_acct=C000228598&_version=1& _ userid=10&_ts=1317587159&md5=2281c8e9b9a1db1d86b0cc20adc8c236. Visited on. 02 October 2011.

[412] 413. Rutvij H. J., Ashish D. P., Jatin D. P. and Bhavin I. S. MANET Routing Protocols and Wormhole Attack against AODV. International Journal of Computer Science and Network Security. April 2010. Vol. 10, No. 4, pp. 12-18.

[413] 414. Andrew S. J., Joseph A. C. and Dinesh S. D. Mitigating Consumer Perceptions of Privacy and Security Risks with the Use of Residual RFID Technologies through Governmental Trust.Journal of Information System Security. (Information Institute Publishing, Washington DC, USA). 2008.Volume 4, Number 1, pp. 41–65.

[414] 415. R. LaRose, N. Rifon, S. Liu, and D. Lee. Understanding Online Safety Behavior. A Multivariate Model. 55th Annual Conference of the International Communication Association. (New York, NY, USA). 2005.

[415] 416. Chwan-Hwa 'John' Wu, Tong L., Chun-Ching 'Andy' Huang and J. David I. Modelling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPACF) capability to resist massive denial of service attacks. International Journal of Information and Computer Security. (USA). 2009. Vol. 3, No.2, pp. 195 – 223.

[416] 417. Aameek S., Ling L. and Mustaque A. Privacy analysis and enhancements for data sharing in *nix systems.International Journal of Information and Computer Security. (USA). 2008. Vol. 2, No.4, pp. 376 – 410.

[417] 418. Shirin E. Privacy and consent in the digital era.Information Security Technical Report. August 2009. Volume 14, Issue 3, pp. 113-118.

[418] 419. Andrew C. Privacy and public policy delivery – Dichotomy or design.Information Security Technical Report. (UK). August 2009. Volume 14, Issue 3, Pages 131-137.

[419] 420. Allan T., Po-WahYau, and John A. MacDonald. Privacy threats in a mobile enterprise social network.Information Security Technical Report. (UK). May 2010. Volume 15, Issue 2, Pages 57-66.

[420] 421. Murat K. and Onur K. Privacy-preserving data mining in the malicious model. International Journal of Information and Computer Security. (USA). 2008. Vol. 2, No.4, pp. 353 – 375.

[421] 422. Fernando E., Elena S. A., Paul H., Haixia J. and Stephanie F. Protecting data privacy through hard-to-reverse negative databases. International Journal of Information Security. July 24, 2007. Volume 6, Number 6, pp. 403-415.

[422] 423. Jinzhu Kong. Protecting the Confidentiality of Virtual Machines Against Untrusted Host.International Symposium on Intelligence Information Processing and Trusted Computing. 2010. Pages 364-368.

[423] 424. Awais S., Alessandro G. and Sead M. Security architecture and methodology for authorization of mobile agents.International Journal of Internet Technology and Secured Transactions. (Sweden). 2010. Vol. 2, No.3/4, pp. 271 – 290.

[424] 425. Abdelrahman D. Sumstega. summarisation-based steganography methodology.International




Journal of Information and Computer Security. (USA). 2011. Vol. 4, No.3, pp. 234 – 263.

[425] 426. Vural Ü. and Thomas H. The Access-Usage-Control-Matrix. A Heuristic Tool for Implementing a Selected Level of Technical Content Protection. IEEE International Conference on E-Commerce Technology (CEC'05). 2005. Pages 512-517.

[426] 427. Jo B., and Mathias K. Disclosure of personal information and online privacy. Control, choice and consequences. Information Security Technical Report. (UK). August 2009. Volume 14, Issue 3, Pages 160-166.

[427] 428. Artemios G. Voyiatzis and Dimitrios N. Serpanos. Active Hardware Attacks and Proactive Countermeasures.IEEE Symposium on Computers and Communications (ISCC'02), 2002. pp. 361.

[428] 429. George F. and Mike B. Caveat venditor. Information Security Technical Report. (UK). February 2010. Volume 15, Issue 1, Pages 28-32.

[429] 430. Alexander W. D. Choosing key sizes for cryptography. Information Security Technical Report. (UK). February 2010. Volume 15, Issue 1, pp. 21-27.

[430] 431. Chris S. Cryptography in the real world.Information Security Technical Report. February 2010. Volume 15, Issue 1, pp 2-7.

[431] 432. M.L. Damiani, E. Bertino and P. Perlasca. Data security in location-aware applications. an approach based on RBAC.International Journal of Information and Computer Security. (Italy). 2007. Vol. 1, No.1/2, pp. 5 – 38.

[432] 433. Hao Yang, Eric O., Dan M., Songwu L. and Lixia Z. Deploying Cryptography in Internet-Scale Systems. A Case Study on DNSSEC. IEEE Transactions on Dependable and Secure Computing. September/October, 2011. Vol. 8, no. 5, pp. 656-669.

[433] 434. Guojun W., Qin L., Jie W. and Minyi G. Hierarchical attribute-based encryption and scalable user revocation for sharing data in cloud servers. Computer security. July 2011. Volume 30, Issue 5, Pages 320-331.

[434] 435. Sriramkrishnan S. Identity based encryption. Progress and challenges.Information Security TechnicalReport. February 2010. Volume 15, Issue 1, UK, pp. 33-40.

[435] 436. Hoon W. L. and Kenneth G. P. Identity-based cryptography for grid security. International Journal of Information Security. 2010. Volume 10, Number 1, pp. 15-32.

[436] 437. Berkant U. Integrating identity-based and certificate-based authenticated key exchange protocols. International Journal of Information Security. 2011. Volume 10, Number 4, pp. 201-212.

[437] 438. Jens-Matthias B., Stefan R. and Rainer S. Key substitution attacks revisited. Taking into account malicious signers.International Journal of Information Security. 2004. Volume 5, Number 1, pp. 30-36.

[438] 439. Tsai, K.Y., Hsu, C.L. and Wu, T.C. Mutual anonymity protocol with integrity protection for mobile peer-to-peer networks. International Journal of Security and Networks. 2010. Vol. 5, No. 1, pp.45–52.

[439] 440. S. Davod. M.i and H. Khaleghei B. On the vulnerability of Simplified AES Algorithm Against Linear Cryptanalysis.International Journal of Computer Science and Network Security. Jul 2007. Vol. 7, No. 7, pp. 257-263.

[440] 441. Amitabh S., Ben S.One-Way Signature Chaining. a new paradigm for group cryptosystem.International Journal of Information and Computer Security. (Australia). 2008. Vol. 2, No.3, pp. 268 – 296.

[441] 442. Dalit N. and Moni N. Protecting Cryptographic Keys. The Trace-and-Revoke Approach. Computer. July, 2003. Vol. 36, no. 7, pp. 47-53.

[442] 443. Olakanmi O. Oladayo. RC42's innovative way for data security in wireless data communication. International Journal of Information and Computer Security. 2011. Vol. 4, No.3, pp. 264 – 275.

[443] 444. Dimitrios P., Chez C., and Fred P. The status of National PKIs – A European overview. Information Security Technical Report. (Greece). February 2010. Volume 15, Issue 1, Pages 13-20.

[444] 445. Bhargav B. Three Tier Encryption Algorithm for Secure File Transfer.International Conference on Computer Engineering and Applications. 2010. Vol. 2, pp. 259-263.

[445] 446. Tieyan Li and Guilin Wang. Analyzing a Family of Key Protection Schemes against Modification Attacks.IEEE Transactions on Dependable and Secure Computing.September/October, 2011. Vol. 8, no. 5, pp. 770-776.

[446] 447. HP. White Paper.HP Imaging and Printing Security Best Practices-Configuring Security for Multiple LaserJet MFPs, Color LaserJet MFPs, and Color MFPs with Edgeline Technology. Version 3.0. Hewlett-Packard Development Company. (USA). 2007.

[447] 448. Seokhee L., Antonio S., Sangjin L. and Jongin L. Password Recovery Using an Evidence Collection Tool and Countermeasures.International Conference on Information Hiding and Multimedia Signal Processing. 2007. Vol. 2, pp. 97-102.

[448] 449. Wael K., Nora C. B., Frédéric C. and Samuel D. Risk-Aware Framework for Activating and Deactivating Policy-Based Response.International Conference on Network and System Security. 2010. Page 207-215.

[449] 450. Eric S. Using NFS to support a virtual server environment. TechTarget. July 2011. Available at.http.//searchvirtualstorage.techtarget.com/podcast/Using-NFS-to-support-a-virtual-server-environment?utm_content=nl1&utm_medium=EMA




IL&asrc=EM_CSP_14418298&mo =1&utm_source=sVirtualStorage&utm_campaign=HOUSE-UTTS-Jul1211&Offer=mn_ eh071211VSTRUTTS_nl1. Visited on. 12 July 2011.

[450] 451. Artem V., Jun H. and Nargiza B. An Ontology Framework for Managing Security Attacks and Defences in Component Based Software Systems. Australian Conference on Software Engineering (aswec 2008). 2008. Page 552-561.

[451] 452. Kefei C., Meng G., Ruijie G. Analysis and Research on HTTPS Hijacking Attacks.International Conference on Networks Security, Wireless Communications and Trusted Computing. 2010. Vol. 2, pp. 223-226.

[452] 453. Igor M., and Chris B.Cloud security technologies. Information Security Technical Report. (UK). February 2009. Volume 14, Issue 1, Pages 1-6.

[453] 454. Igor K. Framework for Integrated Proactive Network Worm Detection and Response.Euromicro Conference on Parallel, Distributed and Network-based Processing. 2009. Page 379-386.

[454] 455. Ellen M. Banks battling crooks who hijack customer PCs. Network World. (United States). Jun 21, 2010. Vol. 27, Iss. 12, pp. 1-3.

[455] 456. Robin S. and Nikita B. Improving Security and Performance in the Tor Network through Tunable Path Selection. IEEE Transactions on Dependable and Secure Computing. September/October, 2011. Vol. 8, no. 5, pp. 728-741.

[456] 457. Lamar University. Information Security Best Practices. Lamar University. (USA). May 2011. Available at. http.//networking.lamar.edu/files/LU%20 Best%20Practices%20Final.pdf. Visited on. 10th May 2011.

[457] 458. Christina T.IT organization of the future is a hybrid. TechTarget. July 2011. Available at. http.//itknowledgeexchange.techtarget.com/total-cio/it-organization-of-the-future-is-a-hybrid/?track=NL-964&ad=842027HOUSE& asrc=EM_NLN_14530464&uid=9554581. Visited on. 27th Jul 2011.

[458] 459. Wei Y., Nan Z., Xinwen F., Riccardo B. and Wei Z. Localization Attacks to Internet Threat Monitors. Modeling and Countermeasures. IEEE Transactions on Computers. December, 2010. Vol. 59, no. 12, pp. 1655-1668.

[459] 460. Kyle I., Matthew C., Richard L., Seth W. and Stephen B. Modeling Modern Network Attacks and Countermeasures Using Attack Graphs. Annual Computer Security Applications Conference. 2009. Pages 117-126.

[460] 461. Patrick K. Staying one step ahead of the hackers. NZ Business. (New Zealand). Jul 2010. Vol. 24, Iss. 6, pp. 50.

[461] 462. SAFECode. White-Paper. Software Assurance. An Overview of Current Industry Best

Practices. Software Assurance Forum for Excellence in Code. (SafeCode Org., USA). February 2008.

[462] 463. Phil, Cox. White-Paper. Cloud Computing Security Up Close. TechTarget. July, 2011. Available at. http.//docs.media.bitpipe.com /io_24x/io_24145/item_428837/sCloudcomputing_cloud%20security_v2.pdf. Visited on. 12 July 2011.

[463] 464. Jerry Johnson. Network Defense Requires Layers of Strategic Thinking. Information Week. (USA). Feb 25, 2008. Iss. 1174, pp. 43 - 49.

[464] 465. Julio C. H., José M. S., Arturo R. and Benjamín R. Search Engines as a Security Threat.Computer. October, 2001. Vol. 34, no. 10, pp. 25-30.

[465] 466. Laura Didio. White-Paper. Service School. Security Considerations For a Windows Server Integration. Information Technology Intelligence Corporation. 2009.

[466] 467. Robert WesterVelt. Security Response Grapple With Cloud Computing. Information security magazine. July/August 2010. Vol. 12. Number 6, pp 13-14.

[467] 468. Lincoln D. S. & John N. S. The World Wide Web Security FAQ. W3C Organization. Available at. http.//www.w3.org/Security/faq/. Visited on. 21 Oct 2010.

[468] 469. Symantec. White-Paper. Symantec™ Endpoint Protection and Symantec™ Endpoint Protection Small Business Edition Beta FAQ. Symantec Corporation. (USA). 2011.

[469] 470. Adrian Lance. Database Auditing Tools. Information Security Magazine. October, 2010. Vol. 12. Number 8, pp. 40-45.

[470] 471. ISM. Midyear Breach Report. Information security magazine. July/August 2010. Vol. 12. Number 6, PP 15.

[471] 472. Common Weakness Enumeration. CWE - VIEW SLICE CWE-2000 Comprehensive CWE Dictionary (1_9). CWE Organization. (USA). 2011. Available at. http.//cwe.mitre.org/find/index.html. Visited on. 08 Oct. 2010.

[472] 473. Hwasu S., Jong-sub M. and Manhyun C. A Distributed and Dynamic System for Detecting Malware. IEEE International Conference on Advanced Information Networking and Applications Workshops. 2011. Page 783-788

[473] 474. Joseph L. H. Email Attachments. Best Practices. University of California. Available at. http.//astron.berkeley.edu/~jhall/export/attachments.pdf. Visited on. 02 Jan 2011.

[474] 475. Zesheng C., Chao C. and Yubin L. Deriving a closed-form expression for worm-scanning strategies. International Journal of Security and Networks. (USA). 2009. Vol. 4, No.3, pp. 135 – 144.

[475] 476. Arati B., Vinod G. and Liviu I. Detecting Kernel-Level Rootkits Using Data Structure Invariants.IEEE Transactions on Dependable and




Secure Computing. September/October, 2011. Vol. 8, no. 5, pp. 670-684.

[476] 477. Ismahani I., Muhammad N. M. and Sulaiman M. N. Detecting Worms Using Data Mining Techniques. Learning in the Presence of Class Noise. IEEE International Conference on Signal-Image Technology and Internet Based Systems. 2010. pp. 187-194.

[477] 478. Asaf S., Robert M., Yuval E., and Chanan G. Detection of malicious code by applying machine learning classifiers on static features. A state-of-the-art survey.Information Security Technical Report. February 2009. Volume 14, Issue 1, Pages 16-29

[478] 479. Raja K. S., Syed I. H., Niklas L. Detection of Spyware by Mining Executable Files. International Conference on Availability, Reliability and Security. 2010. Pages. 295-302.

[479] 480. Pavel C., Radek K., Jan V., Martin D. Embedded Malware - An Analysis of the Chuck Norris Botnet. European Conference on Computer Network Defense. 2010. pp. 3-10.

[480] 481. Ramesh K., Jeyavijayan R., Kurt R. and Mohammad T. Trustworthy Hardware. Identifying and Classifying Hardware Trojans.Computer. October, 2010. Vol. 43, no. 10, pp. 39-46.

[481] 482. Wei Y., Nan Z., Xinwen F. and Wei Z. Self-Disciplinary Worms and Countermeasures. Modeling and Analysis. IEEE Transactions on Parallel and Distributed Systems. October, 2010. Vol. 21, no. 10, pp. 1501-1514.

[482] 483. Desmond Lobo, Paul Watters, Xin-Wen Wu and Li Sun. Windows Rootkits. Attacks and Countermeasures. Cybercrime and Trustworthy Computing Workshop. 2010. Page. 69-78.

[483] 484. Xie L., Xu Yong-jun, Pan Y., Zhu Yue-fei. A Polynomial-Based Countermeasure to Selective Forwarding Attacks in Sensor Networks. WRI International Conference on Communications and Mobile Computing. 2009. Vol. 3, pp. 455-459.

[484] 485. Yu Ming. A Probabilistic Drop Scheme for Mitigating SYN Flooding Attacks. International Conference on Networks Security, Wireless Communications and Trusted Computing. 2009. Vol. 1, pp. 732-734.

[485] 486. Saravanan K. An effective defence mechanism for Distributed Denial-of-Service (DDoS) attacks using router-based techniques. International Journal of Critical Infrastructures. (Department of CSE, Erode Sengunthar Engineering College, ERODE-57, India). 2010. Vol. 6, No.1, pp. 73 – 80.

[486] 487. F. Al-Haidari, M. Sqalli, K. Salah and J. Hamodi. An Entropy-Based Countermeasure against Intelligent DoS Attacks Targeting Firewalls. IEEE International Symposium on Policies for Distributed Systems and Networks, 2009. Pages. 41-44.

[487] 488. Wei Y., Xun W., Xinwen F., Dong X. and Wei Z. An Invisible Localization Attack to Internet Threat Monitors.IEEE Transactions on Parallel and

Distributed Systems. November, 2009. Vol. 20, no. 11, pp. 1611-1625.

[488] 489. Haining W., Danlu Z. and Kang G. S. Change-Point Monitoring for the Detection of DoS Attacks. IEEE Transactions on Dependable and Secure Computing. October-December, 2004. Vol. 1, no. 4, pp. 193-208.

[489] 490. Yinghua G. and Sylvie P. Detect DDoS flooding attacks in mobile ad hoc networks.International Journal of Security and Networks. (South Australia). 2010. Vol. 5, No.4, pp. 259 – 269.

[490] 491. Hyun-Soo C., Jea-Tek R., Byeong-hee R., Jeong-Wook K. and Hyun-Cheol J. Detection of SIP De-Registration and Call-Disruption Attacks Using a Retransmission Mechanism and a Countermeasure Scheme. IEEE International Conference on Signal Image Technology and Internet Based Systems. 2008. Pages. 650-656.

[491] 492. Mauro C., Roberto Di P., Luigi V. M. and Alessandro M. Distributed Detection of Clone Attacks in Wireless Sensor Networks.IEEE Transactions on Dependable and Secure Computing. September/October, 2011. Vol. 8, no. 5, pp. 685-698.

[492] 493. Jerry Johnson.Security Smarts. Information Week. (USA). Feb 25, 2008. Iss. 1174, pp. 43 – 49. PQ-ID (1446188071). Available at. http.//proquest.umi.com/pqdweb?RQT=568&VInst=PROD&VName=PQD&VType=PQD&Fmt=3&did=1446188071&TS=1279103794.

[493] 494. Jacques J.A. Fournier and Philippe L. M. Memory Address Scrambling Revealed Using Fault Attacks. Workshop on Fault Diagnosis and Tolerance in Cryptography. 2010. Pages. 30-36.

[494] 495. Yinan J., Zheng X., Xueping W. and Gendu Z. O2-DN. An Overlay-based Distributed Rate Limit Framework to Defeat DDoS Attacks. International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06). 2006. Pages. 79.

[495] 496. Yihong Z., Dapeng W. and Scott M. N. On MAC-layer denial of service attacks in IEEE 802.11 ad hoc networks. analysis and counter measures.International Journal of Wireless and Mobile Computing. (USA). 2006. Vol. 1, No.3/4, pp. 268 – 275.

[496] 497. Alejandro P. and Loukas L. Packet-Hiding Methods for Preventing Selective Jamming Attacks.IEEE Transactions on Dependable and Secure Computing. (IEEE Computer Society, 2011). Vol. 99, no. 1.

[497] 498. Jun X. and Wooyong L. Sustaining Availability of Web Services under Distributed Denial of Service Attacks. IEEE Transactions on Computers. February, 2003. Vol. 52, no. 2, pp. 195-208.




[498] 499. Xiao F. W. and Michael K. R. Using Web-Referral Architectures to Mitigate Denial-of-Service Threats. IEEE Transactions on Dependable and Secure Computing. April-June, 2010. Vol. 7, no. 2, pp. 203-216.

[499] 500. National Institute of Standards and Technology. Risk Management Framework (RMF) Overview. NIST. Available at. http.//csrc.nist.gov/groups/SMA/fisma/framework.html. Visited on. 17th April, 2011.

[500] 501. Imperva. White paper. SecureSphere and OWASP 2010 Top Ten Most Critical Web Application Security Risks. Imperva (USA). 2010. Available at. http.//www.imperva.com/docs/TB_SecureSphere_ OWASP_2010-Top-Ten.pdf. Visited on. 7th April, 2011. Visited on. 7th April, 2011.

[501] 502. Ponemon Institute. White paper. State of Web Application Security Executive Summary. Ponemon Institute LLC. Feb 2011. Available at. http.//www.barracudanetworks.com/ns/downloads/White_Papers/Barracuda_Web_App_Firewall_WP_Cenzic_Exec_Summary.pdf. Visited on. 17th Nov 2011.

[502] 503. Fazirulhisyam H. and Abbas J. A generic sampling framework for improving anomaly detection in the next generation network. Security and Communication Networks. John Wiley & Son Ltd (USA). August 2011. Volume 4. Issue 8. Pages. 919–936.

[503] 504. Huei-Ru T., Rong-Hong J. and Wuu Y. A robust user authentication scheme with self-certificates for wireless sensor networks. Security and Communication Networks.John Wiley & Son Ltd (USA).August 2011.Volume 4. Issue 8. Pages. 815–824.

[504] 505. Jahangir H. S. and Hussein T. M. A self-stabilized random access protocol against denial of service attack in wireless networks. Security and Communication Networks. John Wiley & Son Ltd (USA). September 2011.Volume 4. Issue 9. Pages.1075–1087.

[505] 506. Joon S. P., Gaeil A. and Ivy Y. L.Active access control (AAC) with fine-granularity and scalability. Security and Communication Networks. John Wiley & Son Ltd (USA). October 2011.Volume 4. Issue 10. Pages. 1114–1129.

[506] 507. J. Hu, X. D. Hoang and I. Khalil. An embedded DSP hardware encryption module for secure e-commerce transactions.Security and Communication Networks.John Wiley & Son Ltd (USA). August 2011.Volume 4. Issue 8. Pages. 902–909.

[507] 508. Hedieh S. and Mansour J. HYSA. HYbridsteganographic approach using multiple steganography methods. Security and Communication Networks. John Wiley & Son Ltd (USA). October 2011.Volume 4. Issue 10. Pages. 1173–1184.

[508] 509. Scott F., Sherali Z. and Naveen C. Impact of denial of service solutions on network quality of service. Security and Communication Networks. John Wiley & Son Ltd (USA). October 2011.Volume 4. Issue 10. Pages. 1089–1103.

[509] 510. Jung-Shian L., Che-Jen H., Chih-Ying C. and Naveen C. Improved IPsec performance utilizing transport-layer-aware compression architecture.Security and Communication Networks.John Wiley & Son Ltd (USA). September 2011.Volume 4. Issue 9. Pages. 1063–1074.

[510] 511. Asafshabtai, Dennis P., Yuval F., Robert M. and Yuval E. Monitoring, analysis, and filtering system for purifying network traffic of known and unknown malicious content.Security and Communication Networks.John Wiley & Son Ltd (USA). August 2011.Volume 4. Issue 8. pp. 947–965.

[511] 512. Norman S. Metrics for Mitigating Cybersecurity Threats to Networks. IEEE Internet Computing. January/February, 2010. Vol. 14, Iss. no. 1, pp. 64-71.

[512] 513. IBM security solutions. White Paper.Trend and risk report.X-force. Corporation. (USA). 2009. Available at. http.//www.pathmaker-group.com/whitepapers/ xforce_2009_Trends.pdf. Visited 01 January 2012.

[513] 514. Keith Harrison and Gregory White. An Empirical Study on the Effectiveness of Common Security Measures. 43rd Hawaii International Conference on System Sciences (hicss).IEEE computer society (USA). 2010. Pages 1-7.

[514] 515. IBM Global Technology Services. White Paper. IBM Internet Security Systems X-Force Threat Insight Quarterly. IBM Corporation. (USA). July 2009. Available at. http.//public.dhe.ibm.com/common/ssi/ecm/en/sel03003usen/SEL03003USEN.PDF. Visited on21 Feb 2012.

[515] 516. IBM Global Technology Services. White Paper.IBM Internet Security Systems X-Force Threat Insight Quarterly.IBM Corporation. (USA). Third quarter 2008. Available at. http.//www-935.ibm.com/services/tw/gts/iss/xforce/xftim_08q3.pdf. Visited on 20 February 2012.

[516] 517. Nick Lewis. Email, website and IP spoofing. How to prevent a spoofing attack. TechTarget. 2012. Available at.http.//searchsecurity.techtarget.com/tip/Email-website-and-IP-spoofing-How-to-prevent-a-spoofing-attack?asrc=EM_USC_16481228&pre=off&track=NL-105&ad=861926&Offer=mn_lh102609SRTYNSUR_HowTo&. Visited on. 27 February 2012.

[517] 518. Thawte. White Paper. Best practices for mobile authentication. TechTarget. 2012. Available at.http.//docs.media.bitpipe.com/io_10x/io_103456/item_501809/Thawte_sConsumerization_IO%231034




56%20_E-Guide_ 012412.pdf. Visited on. 28 February 2012.

[518] 519. Marc Van Zadelhoff. Introducing the Updated IBM Security Framework. Available at.http.//www.instituteforadvancedsecurity.com/expertblog/2012/02/01/introducing-the-updated-ibm-security-framework/. Visited on 19 February 2012.

[519] 520. Ed Skoudis. How can hackers bypass proxy servers. TechTarget. 2012. Available at. http.//searchsecurity.techtarget.com/answer/How-can-hackers-bypass-proxy-servers?asrc=EM_USC_16481229&pre=off&track=NL-105&ad=861926&Offer=mn_lh102609SRTYNSUR_HowTo&.Visited on. 07 March 2012.

[520] 521. Stephen Cobb. A guide to internal and external network security auditing. TechTarget. 2012. Available at.http.//searchsecurity.techtarget.com/tip/A-guide-to-internal-and-external-network-security-auditing. Visited on. 27 February 2012.

[521] 522. Roberta Bragg. Checklist. Lock down PCs, workgroups and AD domains. TechTarget. 2012. Available at. http.//searchwindowsserver.techtarget.com /tip/Checklist-Lock-down-PCs-workgroups-and-AD-domains. Visited on. 27 February 2012.

[522] 523. Roberta Bragg. Checklist. Secure domain controller settings. TechTarget. 2012. Available at. http.//searchwindowsserver.techtarget.com/feature/Checklist-Secure-domain-controller-settings. Visited on. 27 February 2012.

[523] 524. Mike Chapple. Egress filtering. TechTarget. 2012. Available at. http.//searchsecurity.techtarget.com/tip/Egress-filtering. Visited on. 27 February 2012.

[524] 525. Hewlett-Packard Development Company. White Paper. Eight questions to ask about your intrusion security solution. HP. 2011. Available at. http.//docs.media.bitpipe.com/io_10x/io_ 103383/item_ 503000/8%20questions%20to%20ask%20about%20your%20intrusion%20 protection%20 solution.pdf. Visited on 22 February 2012.

[525] 526. Michael S. Hacking back puts security on the offensive. TechTarget. 2012. Available at.http.//searchsecurity.techtarget.com/news/2240131676/Hacking-back-puts-security-on-the-offensive?asrc=EM_NLN_16592568&track=NL-102&ad=864544HOUSE&. Visited on. 07 March 2012.

[526] 527. Kevin Beaver. How to use Metasploit commands for real-world security tests. TechTarget. 2012. Available at.http.//searchsecurity.techtarget.com/tip/Using-Metasploit-for-real-world-security-tests. Visited on. 07 March 2012.

[527] 528. Matt Bishop, Sophie Engle, Damien Howard and Sean Whalen. A Taxonomy of Buffer Overflow Characteristics. IEEE Transactions on Dependable and Secure computing. Vol. 9, no.3, No. 3. May-June 2012. Pages 305 - 317.

[528] 529. Chris Cox. Network security checklist. TechTarget. 2012. Available at. http.//searchnetworking.techtarget.com/tip/Network-security-checklist. Visited on. 27 February 2012.

[529] 530. Gunnar Peterson. White Paper. Security gateway buyer's guide. The Intel Application Security & Identity Products Group. (USA). 2011. Available at. www.intel.com/go/identity. Visited on 28 March 2012

[530] 531. David Jacobs. How to perform a network security audit for customers. TechTarget. 2012. Available at. http.//searchsecuritychannel.techtarget. com/tip/How-to-perform-a-network-security-audit-for-customers. Visited on. 27 February 2012.

[531] 532. Glenn Brunette and Rich Mogull. White Paper. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. Cloud Security Alliance.. 2009. Available at. http.//www.cloudsecurityalliance.org/ guidance/csaguide.v2.1.pdf. Visited on 28 March 2012

[532] 533. Michael Cobb. Locking down your Web applications. TechTarget. 2012. Available at.http.//searchsecurity.techtarget.com/feature/Locking-down-your-Web-applications. Visited on. 27 February 2012.

[533] 534. RSA. White Paper. Making Sense of Manin-the-browser Attacks. Threat Analysis and Mitigation for Financial Institutions. RSA security LLC. (USA). 2010.

[534] 535. Nick Lewis. Why attackers exploit multiple zero-day attacks and how to respond. TechTarget. 2012. Available at.http.//searchsecurity.techtarget.com/tip/Why-attackers-exploit-multiple-zero-day-attacks-and-how-to-respond. Visited on. 27 February 2012.

[535] 536. You Chen, Steve Nyemba and Bradley Malin. Detecting Anomalous Insiders in Collaborative Information Systems. IEEE Transactions on Dependable and Secure Computing. Vol. 9, no. 3. May/June, 2012. Pages 332-344.

[536] 537. Don Jones. White Paper. Reaching the Tipping Point for Two-Factor Authentication. Quest Software Inc. 2009. Available at. www.quest.com/defender. Visited on 20 February 2012.

[537] 538. K. Lai, D. Wren. White Paper. Fast and Effective Endpoint Security for Business – Comparative Analysis. PassMark Software. (Sydney, Australia). June 2010. Available at. www.quest.com/defender.Visited on 20 February 2012.




[538] 539. Rob Shapland. Session fixation protection. How to stop session fixation attacks. TechTarget. June 2010. Available at. http.//searchsecurity. techtarget.co. uk/answer/Session-fixation-protection-How-to-stop-session-fixation-attacks? asrc=EM_NLT_16612899& track=NL-988&ad=862613&).Visited on 20 February 2012.

[539] 540. John Kindervag. Ease credit card risks. POS encryption and data tokenization for PCI. TechTarget. Available at. http.//searchsecurity. techtarget.com/tip/Ease-credit-card-risks-POS-encryption-and-data-tokenization-for-PCI. Visited on 28 March 2012.

[540] 541. Dave Shackleford.Penetration testing tutorial. Guidance for effective pen tests. TechTarget. Available at. http.//searchsecuritychannel. techtarget.com/tip/Wow-your-client-with-a-winning-penetration-testing-report. Visited on 18 March 2012.

[541] 542. Hongxin Hu, Gail-JoonAhn and KetanKulkarni. Detecting and Resolving Firewall Policy Anomalies. IEEE Transactions on Dependable and Secure Computing. Vol. 9, no. 3. May/June, 2012. Pages. 318-331.

[542] 543. Sattarova Feruza Y. and Tao-hoon Kim. IT Security Review. Privacy, Protection, Access Control, Assurance and System Security. International Journal of Multimedia and Ubiquitous Engineering. Vol. 2, No. 2. April, 2007. Pages. 17-31.

[543] 544. Prescott E Small. White Paper. Defense in Depth. An Impractical Strategy for a Cyber World. SANS Institute. 2012. Available at. http.//www.sans.org/reading_room/whitepapers/assurance/defense-depth-impractical-strategy-cyber-world_33896. Visited on 28 March 2012.

[544] 545. Christopher J. May, Josh Hammerstein, Jeff Mattson and Kristopher Rush. White Paper. Defense-in-Depth. Foundations for Secure and Resilient IT Enterprises (CMU/SEI-2006-HB-003). Carnegie Mellon University. September 2006. Available at. http.//www.sei.cmu.edu/publications/pubweb.html. Visited on. 28 March 2012.

[545] 546. US-CERT. White Paper. Recommended Practice. Improving Industrial Control Systems Cybersecuritywith Defense-In-Depth Strategies. U.S. Department of Homeland Security. October 2009.Available at. http.//www.us-cert.gov/control_systems/practices/documents/Defense_in_ Depth_ Oct09.pdf . Visited on. 28 March 2012.

[546] 547. Michael Cobb. SQL injection detection tools and prevention strategies. TechTarget. 2012. Available at. http.//searchsecurity.techtarget.co.uk/tip/SQL-injection-detection-tools-and-prevention-strategies. Visited on. 07 March 2012.

[547] 548. Denny Cherry. Securing SQL Server. Syngress (USA). 2011. Pages 149-169.

[548] 549. Peckham, M. Sony grappling with 55 US lawsuits after PSN hack. PC World. 2011, April 27. Available at. http.//www.pcworld.com/article/ 226385/sonys_playstation_network_disaster_what_happens_next.html. Visited on. 05 May 2011.

[549] 550. Ernesto Damiani, Seth Proctor, and Anoop Singhal. Security and Dependability in SOA and Business Processes. IEEE Transactions on services computing. Vol. 4, No. 4. October-December 2011. Pages 255 - 256.

[550] 551. Goodin, D. Stolen RSA data used to hack defense contractor. The Register. 2011, June 6. Available at. http.//www.theregister.co.uk/2011/06/06/lockheed_martin_securid_hack/ . Visited on 10 June 2011.

[551] 552. Zetter, K. Citi credit card hack bigger than originally disclosed. Wired. 2011, June 16. Available at. http.//www.wired.com/threatlevel/2011/06/citibank-hacked/ . Visited on. 20 June 2011.

[552] 553. Associated Press. Anonymous at it again. defense contractor hacked. CBS News Tech. 2011, July 11. Available at.http.//www.cbsnews.com/stories/2011/07/11/scitech/main20078614.shtml. Visited on. 13 July 2011.

[553] 554. Goodin, D. Anonymous hacks US gov contractor, airs dirty laundry. The Register. 2011, July 30. Available at.http.//www.theregister.co.uk/2011/07/30/anonymous_claims_mantech_hack/. Visited on. 06 August 2011.

[554] 555. Lennon, M. Anonymous hacks mantech, FBI cybersecurity contractor. Security Week. 2011, July 29. Available at. http.//www.securityweek.com/anonymous-claims-ithacked-mantech-fbi-cybersecurity-contractor. Visited on. 06 August 2011.

[555] 556. McMillan, R. Anonymous hackers leak documents from security contractor mantech. Tech World. 2011, August 01. Available at. http.//news.techworld.com/security/3294530/anonymous-hackers-leak-documents-fromsecurity-contractor-mantech/. Visited on. 06 August 2011.

[556] 557. Tsukayama, H. Cyber attack on rsa cost emc $66 million. Washington Post. 2011, July 26. Available at. http.//www.washingtonpost.com/blogs/posttech/post/cyber-attack-on-rsa-cost-emc-66-million/2011/07/26/gIQA1ceKbI_blog.html. Visited on. 29 July 2011.

[557] 558. Peckham, M. Sony grappling with 55 US lawsuits after PSN hack. PC World. 2011, July 22. Available at. http.//www.pcworld.com/article /236330/sony_grappling_with_55_us_lawsuits_after_psn_hack.html. Visited on. 06 August 2011.

[558] 559. Storm, D. Epsilon breach. hack of the century?. Computer World. 2011. April 04. Available at. http.//blogs.computerworld.com/18079/




epsilon_breach_hack_of_the_century. Visited on. 10 April 2011.

[559] 560. Gregory B. White. The Community Cyber Security Maturity Model. 40th Hawaii International Conference on System Sciences. IEEE computer society (USA). 2007. Pages. 1-8.

[560] 561. BERR. White Paper. Information security. How to write an information security policy. Department for Business, Enterprise & Regulatory Reform. (UK). 2009. Available at. http.//webarchive.nationalarchives. gov.uk/+/http.//www.bis.gov.uk/files/file49963.pdf . Visited on. 07 February 2012.

[561] 562. Phil Cox, Neil Roiter and Lisa Phifer. White Paper. Technical Guide on Windows Security. TechTarget. (USA). 2011.

[562] 563. Andreas Ekelhart, Stefan Fenz and Thomas Neubauer. AURUM. A Framework for Information Security Risk Management. 42nd Hawaii International Conference on System Sciences. IEEE computer society. (USA). 2009. Pages. 1-10.

[563] 564. IBM Global Technology Services. White Paper. IBM X-Force 2011 Mid-year Trend and Risk Report. IBM Corporation. (USA). 2011. Available at. http.//www.ibm.com/common/ssi/cgi-bin/ssialias?subtype =WH&infotype=SA&appname=SWGE_WG_WG_USEN&htmlfid=WGL03009USEN&attachment=WGL03009USEN.PDF. Visited on21 Feb 2012.

[564] 565. John P. Murphy, Vincent H. Berk, and Ian Gregorio-de Souza. Decision Support Procedure in the Insider Threat Domain. IEEE CS on Security and Privacy Workshops. IEEE computer society (USA). 2012. Pages 159 - 163.

[565] 566. Sumit More, Mary Matthews, Anupam Joshi, and Tim Finin. A Knowledge-Based Approach to Intrusion Detection Modeling. IEEE CS on Security and Privacy Workshops. IEEE computer society (USA). 2012. Pages 76 - 81.

[566] 567. Hao Zhang, William Banick, Danfeng Yao, and Naren Ramakrishnan. User Intention-Based Traffic Dependence Analysis for Anomaly Detection. IEEE CS on Security and Privacy Workshops. IEEE computer society (USA). 2012. Pages 104 - 112.

[567] 568. Shuaifu Dai, Tao Wei, Chao Zhang, Tielei Wang, Yu Ding, Zhenkai Liang,and Wei Zou. A Framework to Eliminate Backdoors from Response-Computable Authentication. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 3-17.

[568] 569. Mathias Payer, Tobias Hartmann, and Thomas R. Gross Safe Loading - A Foundation for Secure Execution of Untrusted Programs. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 18 - 32.

[569] 570. Yinglei Wang, Wing-kei Yu, Shuo Wu, Greg Malysa, G. Edward Suh,

[570] and Edwin C. Kan. Flash Memory for Ubiquitous Hardware Security Functions. True Random Number Generation and Device Fingerprints. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 33 - 47

[571] 571. Jiyong Jang, Abeer Agrawal, and David Brumley. ReDeBug. Finding Unpatched Code Clones in Entire OS Distributions. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 48 – 64

[572] 572. Cas Cremers, Kasper B. Rasmussen, Benedikt Schmidt, and Srdjan Capkun. Distance Hijacking Attacks on Distance Bounding Protocols. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 113 - 127.

[573] 573. D. Basin, S. Cˇ apkun, P. Schaller, and B. Schmidt. Let’s get physical. Models and methods for real-world security protocols. In Proceedings of the 22nd International Conference on Theorem Proving in Higher Order Logics, TPHOLs ’09. Springer (USA). 2009. Pages. 1–22

[574] 574. Adele E. Howe, Indrajit Ray, Mark Roberts, Malgorzata Urbanska, and Zinta Byrne. The Psychology of Security for the Home Computer User. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 209 – 223

[575] 575. Moritz Y. Becker, Alessandra Russo, and Nik Sultana. Foundations of Logic-Based Trust Management. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 161 – 175

[576] 576. Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno,Helen J. Wang, and Crispin Cowan. User-Driven Access Control. Rethinking Permission Granting in Modern Operating Systems. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 224 - 238.

[577] 577. Xeno Kovah, Corey Kallenberg, Chris Weathers, Amy Herzog, Matthew Albin, and John Butterworth. New Results for Timing-Based Attestation. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 239 - 256.

[578] 578. P. Mohassel and M. Franklin. Efficiency tradeoffs for malicious two-party computation. International Conference on Theory and Practice of Public Key Cryptography(PKC 2006). Volume 3958 of LNCS. Springer (USA). 2006. Pages. 458–473.

[579] 579. Yan Huang, Jonathan Katz, and David Evans. Quid-Pro-Quo-tocols. Strengthening Semi-honest Protocols with Dual Execution. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 272 – 284.




[580] 580. Emiliano De Cristofaro, Claudio Soriente, Gene Tsudik, and Andrew Williams. Hummingbird. Privacy at the Time of Twitter. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 285 – 299

[581] 581. Kevin P. Dyer, Scott E. Coull, Thomas Ristenpart, and Thomas Shrimpton. Peek-a-Boo, I Still See You. Why Efficient Traffic Analysis CountermeasuresFail. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 332 – 346

[582] 582. Zhiyun Qian and Z. Morley Mao. Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 337 – 364.

[583] 583. M. Anwar, Z. Zhao, and P. W. L. Fong.An access control model for Facebook-style social network systems.University of Algary Technical Report 2010-959-08. (Alberta, Canada). 2010.

[584] 584. Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. Unleashing Mayhem on Binary Code. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 380 - 394.

[585] 585. Jonathan R. Mayer and John C. Mitchell. Third-Party Web Tracking. Policy and Technology. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 413 - 427.

[586] 586. J. Mayer. Tracking the trackers. Selfhelp tools. September, 2011. Available at. http.//cyberlaw.stanford.edu/node/6730. Visited on 18 April 2012.

[587] 587. A. Fowler. Do Not Track Adoption in Firefox Mobile is 3x higher than desktop. November, 2011. Available at. http.//blog.mozilla.com/privacy/ 2011/11/02/ do-not-track-adoption-in-firefox-mobile-is-3x-higher-than-desktop/ . Visited on 28 April 2012.

[588] 588. J. Mayer. Tracking the trackers. Early results. July, 2011. Available at. http.//cyberlaw.stanford.edu/node/6694. Visited on 10March 2012.

[589] 589. Luca Invernizzi and Paolo Milani Comparetti. EvilSeed. A Guided Approach to Finding Malicious Web Pages. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 428 - 442.

[590] 590. Clemens Kolbitsch, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. Rozzle. De-cloaking Internet Malware. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 443 - 460.

[591] 591. Sadia Afroz, Michael Brennan, and Rachel Greenstadt. Detecting Hoaxes, Frauds, and Deception in Writing Style Online. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 461 - 475.

[592] 592. Masoud Akhoondi, Curtis Yu, and Harsha V. Madhyastha. LASTor. A Low-Latency AS-Aware Tor Client. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 476 – 490.

[593] 593. Ero Balsa, Carmela Troncoso, and Claudia Diaz. OB-PWS. Obfuscation-Based Private Web Search. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 491 - 505.

[594] 594. Hsu-Chun Hsiao, Tiffany Hyun-Jin Kim, Adrian Perrig, Akira Yamada,

[595] Samuel C. Nelson, Marco Gruteser, and Wei Meng. LAP. Lightweight Anonymity and Privacy. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 506 - 522.

[596] 595. R. Dingledine, N. Mathewson, and P. Syverson. Tor. the second generationonion router. In Proceedings of conference on USENIX Security Symposium. (USA). 2004.

[597] 596. J. A. Muir and P. C. V. Oorschot. Internet geolocation. Evasion and counterevasion. ACM Comput. Surv. Vol. 42. (USA). December 2009. Pages. 4.1–4.23

[598] 597. B. Raghavan, T. Kohno, A. C. Snoeren, and D. Wetherall. Enlisting ISPs to improve online privacy. IP address mixing by default. In Proceedings of PETS. (USA). 2009.

[599] 598. V. Liu, S. Han, A. Krishnamurthy, and T. Anderson. Tor instead of IP. In Proceedings of ACM Hotnets. (USA). 2011.

[600] 599. J. Trostle, B. Way, H. Matsuoka, M. Tariq, J. Kempf, K. T. and R. Jain. Cryptographically protected prexes for location privacy in IPv6. In Proceedings of PETS. (USA). 2004

[601] 600. H. Burch and B. Cheswick. Tracing anonymous packets to their approximate source. In Proceedings of LISA. (USA). Dec. 2000.

[602] 601. T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprinting. IEEE Trans. Dependable Secur. Comput. Vol. 2. (USA). April 2005. Pages. 93–108.

[603] 602. Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay,Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio López. Guess Again (and Again and Again). Measuring Password Strength by Simulating Password-Cracking Algorithms. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 523 - 537.




[604] 603. W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic authentication guideline. NIST Technical Report. (USA). 2006.

[605] 604. M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings CCS. (USA). 2010.

[606] 605. S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people. Measuring the effect of password-composition policies. In Proceedings CHI. (USA). 2011.

[607] 606. Joseph Bonneau. The Science of Guessing. Analyzing an Anonymized Corpus of 70 Million Passwords. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 538 – 552.

[608] 607. Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. The Quest to Replace Passwords. A Framework for Comparative Evaluation

[609] of Web Authentication Schemes. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 553 - 570.

[610] 608. Yangchun Fu and Zhiqiang Lin. Space Traveling across VM. Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 586 - 600.

[611] 609. Zongwei Zhou, Virgil D. Gligor, James Newsome, and Jonathan M. McCune. Building Verifiable Trusted Path on Commodity x86 Computers. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 616 - 630.

[612] 610. M. Hicks, M. Finnicum, S. T. King, M. M. K. Martin, and J. M. Smith. Overcoming an untrusted computing base. Detecting and removing malicious hardware automatically. IEEE Symposium on Security and Privacy. IEEE computer society (USA). 2010. Pages. 159–172.

[613] 611. Cynthia Sturton, Matthew Hicks, David Wagner and Samuel T. King. Defeating UCI. Building Stealthy and Malicious Hardware. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 64 - 77.

[614] 612. Adam Waksman and Simha Sethumadhavan. Silencing Hardware Backdoor. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 49 - 63.

[615] 613. Ryan Henry and Ian Goldberg. Formalizing Anonymous Blacklisting Systems. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 81 - 95.

[616] 614. L. David Baron. Preventing attacks on a user’s history through CSS. Mozilla. (USA). 2010. Available at. http.//dbaron.org/mozilla/visited-privacy. Visited on 12March 2011.

[617] 615. Zachary Weinberg, Eric Y. Chen, Pavithra Ramesh Jayaraman and Collin Jackson. I Still Know What You Visited Last Summer. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 147 - 161.

[618] 616. Matthew Fredrikson And Benjamin Livshits. REPRIV. Re-Imagining Content Personalization and In-Browser Privacy. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 131 - 146.

[619] 617. Arjun Guha, Matthew Fredrikson, Benjamin Livshits and Nikhil Swamy. Verified Security for Browser Extensions. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 115 - 130.

[620] 618. Jeffrey A. Vaughan and Stephen Chong . Inference of expressive declassification policies. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 180 – 194.

[621] 619. Aleksandar Nanevski, Anindya Banerjee and Deepak Garg. Verification of Information Flow and Access Control Policies with Dependent Types. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 165 – 179.

[622] 620. Xin Zhang, Hsu-Chun Hsiao, Geoffrey Hasker, Haowen Chan, Adrian Perrig and David G. Andersen. SCION. Scalability, Control, and Isolation On Next-Generation Networks. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 212 – 227

[623] 621. Reza Shokri, George Theodorakopoulos, Jean-Yves Le Boudec, and Jean-Pierre Hubaux. Quantifying Location Privacy. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 247 – 262

[624] 622. Philip W. L. Fong. Preventing Sybil Attacks by Privilege Attenuation. A Design Principle for Social Network Systems. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 263 – 278

[625] 623. J. R. Douceur. The Sybil attack. International Workshop on Peer-to-Peer Systems (IPTPS’02). Ser. LNCS, vol. 2429. (Cambridge, MA, USA). March 2002. Pages. 251–260.

[626] 624. H. Yu, M. Kaminsky, P. B. Gibbons, and A. D. Flaxman. SybilGuard. Defending against Sybil attacks via social networks. IEEE/ACM Transactions on Networking. Vol. 16, no. 3. Jun. 2008. Pages. 576–589.




[627] 625. H. Yu, P. B. Gibbons, M. Kaminsky, and F. Xiao. SybilLimit. A nearoptimal social network defense against Sybil attacks. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (S&P’08). Oakland, CA, USA. May 2008. Pages. 3–17.

[628] 626. A. Cheng and E. Friedman. Sybilproof reputation mechanisms. In Proceedings of the 2005 ACM SIGCOMM Workshop on Economics of peer-to-peer systems (P2PEcon’05). Philadelphia, PA, USA. Aug. 2005. Pages. 128–132.

[629] 627. H. Yu, C. Shi, M. Kaminsky, P. B. Gibbons, and F. Xiao. DSybil. Optimal Sybil-resistance for recommendation systems. In Proceedings of the IEEE Symposium on Security and Privacy (S&P’09). Berkeley, CA, USA. May 2009. Pages. 283–298.

[630] 628. P. J. Denning. Fault tolerant operating systems. ACM Computing Surveys. Vol. 8, no. 4. Dec. 1976. Pages. 359–389.

[631] 629. M. Bishop. Computer Security. Addison Wesley. (USA). 2002

[632] 630. Rui Wang, Shuo Chen, and XiaoFeng Wang. Signing Me onto Your Accounts through Facebook and Google. A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. 33rd IEEE Symposium on security and privacy (S&P 2012). IEEE computer society (USA). 2012. Pages 365 - 379.

[633] 631. L. Jin, H. Takabi, and J. B. D. Joshi. Towards active detection of identity clone attacks on online social networks. In Proceedings of the First ACM Conference on Data and Application Security and Privacy (CODASPY’11). San Antonio, TX, USA, Feb. 2011. Pages. 27–38.

[634] 632. G. Kontaxis, I. Polakis, S. Ioannidis, and E. P. Markatos. Detecting social network profile cloning. In Proceedings of the 3rd IEEE International Workshop on Security and Social Networking (SESOC’11). Seattle, WA, USA. Mar. 2011.

[635] 633. B. Carminati and E. Ferrari. Enforcing relationships privacy through collaborative access control in web-based social networks. In Proceedings of the 5th International Conference on Collaborative Computing. Networking, Applications and Worksharing (CollaborateCom’09). Washington DC, USA. Nov. 2009.

[636] 634. P. W. L. Fong. Relationship-based access control. protection model andpolicy language. In Proceedings of the First ACM Conference on Data and Application Security and Privacy (CODASPY’11). San Antonio, TX, USA. Feb. 2011. Pages. 191–202.

[637] 635. P. W. L. Fong and I. Siahaan. Relationship-based access control policies and their policy languages. In Proceedings of the 16th ACM Symposium on Access Control Models and

Technologies (SACMAT’11). Innsbruck, Austria. Jun. 2011.

[638] 636. N. Li and M. V. Tripunitara. On safety in discretionary access control. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P’05). Oakland, California, USA. May 2005. Pages. 96–109.

[639] 637. B. Carminati, E. Ferrari, and A. Perego. Rule-based access control for social networks. The OTM 2006 Workshops. Ser. LNCS, vol. 4278. Springer. USA. Oct. 2006. Pages. 1734–1744.

[640] 638. Brendan Dolan-Gavitt, Tim Leeky, Michael Zhivichy, Jonathon Giffin, and Wenke Lee. Virtuoso. Narrowing the Semantic Gap in Virtual Machine Introspection. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 297 – 312

[641] 639. B. Korel and J. Laski. Dynamic program slicing. Information Processing Letters, 29(3). 1988. Pages. 155 – 163

[642] 640. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares. An architecture for secure active monitoring using virtualization. In IEEE Symposium on Security and Privacy. Oakland, CA, USA. 2008.

[643] 641. A. Lanzi, M. I. Sharif, and W. Lee. K-tracer. A system for extracting kernel malware behavior. Network and Distributed Systems Security Symposium (NDSS). San Diego, CA,USA. 2009.

[644] 642. Chris Owen, Duncan Grove, Tristan Newby, Alex Murray, Chris North and Michael Pope. PRISM. Program Replication and Integration for Seamless MILS. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 281 – 296

[645] 643. D. E. Bell and L. J. LaPadula. Secure computer systems. mathematical foundations and model. The MITRE Corp. Technical Report M74-244. Bedford, Mass. USA. May 1973.

[646] 644. Yinqian Zhang, Ari Juels, Alina Oprea and Michael K. Reiter. HomeAlone. Co-Residency Detection in the Cloud via Side-Channel Analysis. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 313 – 328

[647] 645. Suman Jana, Donald E. Porter and Vitaly Shmatikov. TxBox. Building Secure, Efficient Sandboxes with System Transactions. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 329 – 344

[648] 646. T. Garfinkel. Traps and pitfalls. Practical problems in system call interposition based security tools. In Network and Distributed Systems Security Symposium (NDSS). 2003.

[649] 647. R. Watson. Exploiting concurrency vulnerabilities in system call wrappers. In WOOT. 2007.




[650] 648. David Gullasch, Endre Bangerter and Stephan Krenn. Cache Games – Bringing Access-Based Cache Attacks on AES to Practice. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 490 – 505.

[651] 649. Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Márk Félegyházi, Chris Grier, Tristan Halvorson, Chris Kanich, Christian Kreibich, He Liu, Damon McCoy, Nicholas Weaver, Vern Paxson, Geoffrey M. Voelker, Stefan Savage. Click Trajectories. End-to-End Analysis of the Spam Value Chain. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 431 – 446.

[652] 650. Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson and Dawn Song. Design and Evaluation of a Real-Time URL Spam Filtering Service. 32nd IEEE Symposium on security and privacy (S&P 2011). IEEE computer society (USA). 2011. Pages 447 – 462.

Author:

Mr. Said K Al-Wahaibi is a researcher in the field of computer security and networking, where he conducts courses,

prepares studies and supervises projects on the subject for many organizations. He received his BE degree in electronic engineering from the University of Reading (England) in 1990, and MSc degree in telecommunications engineering from the National University of Sciences and Technology (Pakistan) in 1999. Said has a vast practical experience in telecommunications, networking, projects management and information security (in which alone he holds 7 infosec license), and received many national and international rewards for his activities and participation in the field.

Dr. Norafida Ithnin is a senior lecturer at Universiti Teknologi Malaysia. She received her BSc degree in Computer Science from

Universiti Teknologi Malaysia in 1995, her MSc degree in Information Technology (Computer Science) from University Kebangsaan Malaysia in 1998 and her PHD degree in Computation from UMIST, Manchester in 2004. Her primary research interests are in security management, security risk and analysis and security policy and standard. She is the author and co-author for many journal and conference proceedings at national and international levels.