Upozorenje
|
| Pozvani referati |
|
Vlatko Košturjak (IBM Security Services – EMEA PSS, Zagreb, Croatia)
Analiza operacije Aurora i potencijalne obrane |
Vesna Ciglar (Faculty of Organization and Informatics, Varaždin, Croatia)
Obrazovanje u funkciji kvalitetne realizacije sigurnosti i zaštite informacijskih sustava |
| Prezentacija i referat |
A. Galinović (KING ICT d.o.o., ZAGREB, Croatia)
Automated Trust Negotiation Models 
For secure communication and access control in open networks mutual trust between entities is needed. Today’s trust mechanisms are based on identities and credential exchange, in which the user is required to decide which credential to submit. This represents a problem in evaluating the trustworthiness of entities which are complete strangers. One solution is an automated trust negotiation system, which governs and controls credential exchange needed for trustworthy communications. Many models have been proposed, each bringing improvements but also raising additional security issues. This article explains these models and their security issues.
|
| Referati |
D. Purgar (EUROCOMPUTER SYSTEMS d.o.o., ZAGREB, Croatia), L. Čirjak, Z. Žunko (Eurocomputer Systems, Zagreb, Croatia)
Uvođenje procesa upravljanja kontinuitetom poslovanja u manju hrvatsku banku
Velik broj tvrtki uvodi proces upravljanja kontinuitetom poslovanja. To su prvenstveno financijske ustanove za koje je u osnovi i kreirana standardna metodologija za uvođenje upravljanja kontinuitetom poslovanja, prema Disaster Recovery Institute, a koja kao osnovnu metriku uzima direktne financijske gubitke nastale prekidom poslovanja tvrtke. Sama dinamika uvođenja spomenutog sustava u financijske ustanove na teritoriju Republike Hrvatske znatno je ubrzana vremenskim ograničenjima koje je postavila Hrvatska Narodna Banka. Prilikom uvođenja procesa upravljanja kontinuitetom poslovanja u manjoj hrvatskoj banci organizacija je suočena sa izazovima koji predstavljaju manjak adekvatnih ljudskih resursa, radno opterećenje i količinu vremenskih i novčanih resursa koji se mogu utrošiti na takve aktivnosti. Zbog navedenih razloga takve organizacije posežu za angažmanom vanjskih resursa – savjetnika. Ovaj rad opisuje projekt uvođenja sustava za upravljanje kontinuitetom u manju hrvatsku banku ostvaren u suradnji djelatnika banke i vanjskih resursa savjetnika.
|
G. Vojković (INFODOM d.o.o., Zagreb, Croatia), Ž. Šupica (T-Hrvatski telekom d.d., Zagreb, Croatia)
Dodirne točke ISO 19005 i ISO 27001 – moguća sinergija dva standarda
Standard HRN ISO 19005-1:2008 - puni naziv: Upravljanje dokumentima - Format datoteka elektroničkih dokumenata za dugoročnu zaštitu - 1. dio: Uporaba PDF-a 1.4 (PDF/A-1) – može biti vrlo korisna nadogradnja danas već raširenog Standarda HRN ISO 27001:2006. Naime, ISO 19005 rješava jedan od najvećih problema upravljanja elektroničkim dokumentima danas, pitanje njihove dugoročne pohrane. S obzirom da sustav informacijske sigurnosti u organizaciji mora obuhvatiti i arhivirane poslovne dokumente (koji su često tajni dugi niz godina), potrebno je analizirati gdje se ova dva standarda nadopunjuju i dodiruju, kako bi se ostvario sinergijski učinak u povećanju ukupne kvalitete čuvanja i zaštite informacija.
|
A. Klaic (Ured vijeća za nacionalnu sigurnost, Zagreb, Croatia)
Overview of the State and Trends in the Contemporary Information Security Policy and Information Security Management Methodologies
The Review of the field of information security (IS) policy and IS management methodologies is given in the paper. The review is given from the context of development of the contemporary information space. Key terms are defined and contemporary trends of development are described. The need of IS governance is analysed, the relationship of the IS governance and information technology (IT) governance is described, as well as the relationship of this governance level with security frameworks and programmes for information security management system (ISMS) development. Systemic Security Management Model is described, where security is considered as a dynamic interconnected multidimensional activity. Specifics of the definition of contemporary IS policy content requirements and the concepts of ISMS are determined, especially in the context of traditional IS policy that is typical for Government sectors, but also in the context of general security programme frameworks established by standards such as HRN ISO/IEC 27001. Some more important methodologies are described in the paper, that are used in the field of planning, implementation, checking, and improving of the IS police requirements, and security controls of the ISMS, that are relevant both to IS governance and to IS management levels.
|
P. Pale, J. Šimundić, G. Živković, B. Jeren (Fakultet elektrotehnike i računarstva, Zagreb, Croatia)
Some Aspects of Authentification For Distributed Project Teams
It is common for projects nowadays to have multidisciplinary teams whose members belong to different academic institutions world wide as well as to industry, government and NGOs.
Team members need access to computer and communication infrastructure, services and data with various levels of access privileges. They need access from various world wide locations to resources spread on different locations embedded in infrastructures belonging to different owners protected by numerous firewalls and other means.
The paper discusses applicability of SOAP for authentification and its practical advantages and drawbacks. Attention is paid to scalability, simplicity of use, maintainability of access rights, flexibility in changing team membership and especially to security issues.
|
M. Sajko, N. Hadjina (ZIK d.o.o., Zagreb, Croatia), D. Pešut (Visoka škola za informacijske tehnologije, Zagreb, Croatia)
Multi-Criteria Model for Evaluation of Information Security Risk Assessment Methods and Tools
Methods and tools for supporting the process of information security risk assessment are determined with several attributes. Those attributes make the particular method and tool more or less suitable for solving risk assessment problems in companies. In the process of planning the usage of these methods, companies have limitations such as financing, human resources, knowledge, time, etc. that determine the approach and solution for solving the problem of risk assessment. In respect to these limitations on one side and the attributes of risk assessment methods/tools on the other, we can establish a model for assisting the selection of a suitable method/tool. Experience in applying this model for the selection of appropriate support for the risk assessment in few Croatian companies is also presented in this paper.
|
S. Grgić (Agencija za zaštitu osobnih podataka, Zagreb, Croatia)
Protecting the Domain Name System
The Domain Name System (DNS) is the worldwide system that associates a category of digital identifiers, called domains, with a variety of data. The identified threats to DNS communications and components are listed in the Internet Engineering Task Force’s specification (RFC 3833). They are: Packet Interception, ID Guessing and Query Prediction, Cache Poisoning, etc. It is clear therefore that the DNS is still far from secure. Existing flaws can affect public Internet users as well as enterprise users. The ISP’s recursive resolvers, as well as enterprise ones, have to be secured. The aim of this paper is brings the latest changes in this crucial service and possible solutions for verifying the authenticity and protecting the integrity of the DNS data in the communication between the recursive resolvers and authoritative servers as well as explaining DNSSEC the security extension to the DNS that, if deployed, can solve the cache poisoning problem.
|
N. Pavković, L. Perkov (Institut Ruđer Bošković, Zagreb, Croatia)
Metode i alati u socijalnom inženjeringu
Sigurnost, kao jedna od temeljnih mjerila kakvoće informacijskih sustava, ovisi o velikom broju tehničkih ali i ne-tehničkih faktora. Suprotno općem mišljenju kako se ranjivosti informacijskih sustava nalaze isključivo u softverskom dijelu sustava, zapravo je ljudski faktor onaj koji predstavlja najveću prijetnju sigurnosti. Socijalni inženjering je vještina iskorištavanja ljudskih slabosti s ciljem saznavanja vrijednih informacija o štićenom informacijskom sustavu, te kao takav predstavlja izuzetno važnu kategoriju penetracijskog testiranja u smislu utvrđivanja sigurnosne osviještenosti zaposlenika neke organizacije, te služi kao pokazatelj da li se unutar organizacije poštuju i provode unaprijed definirana sigurnosna pravila.
U radu će se prikazati, opisati i kategorizirati metode prikupljanja informacija socijalnim inženjeringom te programski i sklopovski alati koji se mogu pritom upotrijebiti.
|
D. Delija (Insig2 d.o.o, Zagreb, Croatia)
Preventivna računalna forenzika i metode analize sistemskih zapisa
U ovom radu opisuje se analiza sistemskih i ostalih zapisa (logova) i njeno korištenje u preventivnoj računalnoj forenzici. Prikazuju se razni načini izvođenja analiza, prikupljanja podataka iz raznih vrsta zapisa, te alati i zahtjevi na sustave prikupljanja zapisa sa stanovišta forenzičke prihvatljivosti . Definira se važnost preventivnog i tradicionalnog forenzičkog pristupa u upravljanju računalnim sustavima, ne samo u sigurnosnim aspektima već i u potpunom upravljanju računalnim sustavima.
|
| Pauza |
M. Bača (Fakultet organizacije i informatike, Varaždin, Croatia), J. Ćosić (Ministry of Interior, Bihać, Bosnia and Herzegovina)
(Im)Proving Chain of Custody and Digital Evidence Integrity with Time Stamp
The integrity of digital evidence play a important role in digital forensic investigation process. Proper chain of custody testimony must include documentation how data is gathered, how is transported, analyzed, preserved, and how is handled with evidence in some exchange. There are a several adapted methods for digitally signing a evidence to(im)prove the integrity of digital evidence. Most forensic tools and applications implement some type of hashing algorithm to allow investigators to late verify the disk or image integrity. In this process problem is binding a integrity, identity and date and time of access to digital evidence.
In this paper autor will present a trusted timestamping method to signing a digital evidence in every stages in digital investigation process. Timestamp will be available from secure third pary side (Time Stamp Authority) and will be used to prove a time when is a personnel accessed to a evidence in any stages of forensic investigation.
|
P. Čisar (Telekom Srbija, Subotica, Serbia), S. Bošnjak (Ekonomski fakultet, Subotica, Serbia), S. Maravić Čisar (Visoka tehnička škola strukovnih studija, Subotica, Serbia)
Statistics of Network Local Maxima in Function of Intrusion Detection
Intrusion detection is used to monitor and capture intrusions into computer and network systems which attempt to compromise their security. Many intrusions (attacks) manifest in changes in the intensity of events occurring in computer networks. A lot of different approaches exist for statistical intrusion detection. One of them is behavioural analysis, thus in accordance with this, a paper about network local maxima statistics is presented.
|
M. Tarbuk (, , )
Primjena sustava za detekciju neželjenog mrežnog prometa
U radu se govori o implementaciji i korištenju sustava za detekciju neželjenog mrežnog prometa u velikim poslovnim mrežama koji po svojoj arhitekturi i namjeni pripadaju u registrirane pružatelje informacijskih servisa i Internet pristupa.
Sami sustavi su mrežnog tipa tako da funkcioniraju kao aktivne komponente središnjih modula koji čine jezgru mrežnog sustava. Spomenuti su također sustavi za detekciju neželjenog prometa koji nisu po svojoj arhitekturi mrežnog tipa, već svoju funkciju obavljaju na temelju snimanja prometa segmenta mreže u koji su postavljeni. Uz što detaljniji pokušaj objašnjavanja rada samih sustava predočen je i način mrežnog preusmjeravanja snimanog prometa prema samim senzorima na nivou tehnologije.
Nakon ostvarivanja rada samih sustava ili drugim riječima dovođenjem uzoraka sve vrste prometa govori se o finom ugađanju samih senzora kako bi se istaknuo samo neželjeni promet, a isključio regularan promet. Proučavanjem uzoraka prometa koji definiraju matricu prometa promatrane mreže, stvaraju se konfiguracijski parametri koji iz vremena u vrijeme evoluiraju stvarajući taj segment mreže kao najaktivniji dio sigurnosnog aspekta informacijskih sustava.
Kao zadnje poglavlje navodi se testiranje sustava za detekciju neželjenog mrežnog prometa koje je provedeno sukladno sa definiranim procedurama penetracijskog ispitivanja na koje bi senzori morali uspješno reagirati nevezano na sam uspjeh penetracije u dijelove informacijskog sustava.
|
S. Picek (Fakultet elektrotehnike i računarstva, Zagreb, Croatia), M. Golub (Faculty of Electrical Engineering and Computing, Zagreb, Croatia)
Neuronska kriptografija kao odgovor na napad kvantnim računalom
Kriptografija javnog ključa daje jedan od mogućih odgovora na problem razmjene ključeva između dviju strana. Uobičajeno je da se u kriptografiji javnog ključa sigurnost sustava temelji na “teškim” matematičkim problemima. Najpoznatiji kriptosustav temeljen na tim principima je RSA kriptosustav osmišljen pred više od 30 godina. Mnogo su manje poznate, a još i manje korištene metode čija sigurnost ne počiva na činjenicama iz teorije brojeva. U takve metode spadaju kvantna i neuralna kriptografija. Neuralna kriptografija se temelji na sinkronizaciji dvaju umjetnih neuralnih mreža. Sigurnost takvom sustavu daje činjenica da je to NP težak problem. Svrha ovog članka je prikazati kako neuralne mreže mogu stvoriti zajednički ključ razmjenom bitova preko javnog kanala i međusobnim učenjem te razmotriti slabosti koje ima takav algoritam.
|
V. Antončić (Fakultet elektrotehnike i računarstva, Zagreb, Croatia), A. Galinović (King ICT, Zagreb, Croatia)
Key Management in Identity Based Encryption Schemes
Identity Based Encryption is a type of public key cryptography in which users’ public key is some unique information about the identity of the user. IBE scheme relies on a trusted third party to generate corresponding private keys. An inherent problem of this system is key escrow. It also requires a secure channel between users and the PKG to deliver private keys. This paper describes several proposals that would eliminate those problems. It is also described how to make identity based encryption more applicable by providing a secure issuing mechanism that would ensure user privacy and authenticity.
|
M. Šilić, J. Krolo, G. Delač (Fakultet elektrotehnike i računarstva, Zagreb, Croatia)
Security Vulnerabilities in Modern Web Browser Architecture
The Web today has become the most used and popular platform for application development. In the beginnings of the Web, applications provided users just ability to browse and read content. The expansion and adoption of the new Web technologies has led to a significant increase in development and, more importantly, usage of the Web applications that allow users to create their own content and impact their life (e.g. e-banking, e-commerce, social networks). These Web 2.0 applications introduced new possibilities for both users and application developers, but also created new security concerns. Almost every Internet user uses a Web browser to access any content on the Internet. Each Web application is designed and developed to be executed inside the Web browser. Web browser mediates between users and applications. In such an architecture, malicious applications could be loaded and executed inside the Web browser, making it a vulnerable point in preserving security. Modern Web applications demand for a new Web browser architecture design that will meet a new security requirements arisen with the Web 2.0. In this paper, we study Web browser's vulnerabilities, analyze popular Web browsers architecture and present how they cope with potential security threats.
|
S. Groš (Faculty of Electrical Engineering and Computing, University of Zagreb, Zagreb, Croatia), M. Salkić, I. Šipka (Fakultet elektrotehnike i računarstva, Zagreb, Croatia)
Protecting TOR Exit Nodes from Abuse
TOR is a mechanism and a network that allows one to anonymously use
resources on the Internet. This is very useful for countries with
restricted human rights, but also in all the cases when someone has
concerns about being watched or otherwise tracked. The main building
blocks of the TOR network are TOR nodes that relay traffic in such way
that each node knows for previous and next nodes. The special case are
exit nodes that finally deliver traffic to it's intended destination,
but that don't know from whom the traffic originates. All the TOR nodes
are run by voluntaries throughout the Internet. It turns out that TOR
network is heavily misused and thus it is dangerous to run TOR exit
nodes as all the misuse of the network appears to be done from the exit
nodes which could bring trouble to their owners. In this paper we
analyse misuse of the TOR exit nodes and also propose mechanisms that
could minimize, or even eliminate, misuse. More specifically, we analyse
use of the honeywall to protect TOR exit node.
|
S. Gerić (Fakultet organizacije i informatike, Varaždin, Croatia)
Security of Web Services Based Service-Oriented Architectures
Service-oriented architectures (SOA) as a new form of information system (IS) architectures is more and more important in todays IS development. Some researchers are pointing out that the number of SOA implementations in the next few years will significantly outnumber the number of traditional IS architectures implementations. One of the reasons for this are the possibilities that SOA and technologies used for SOA development are offering. Today’s SOA are mostly based and developed using Web services technology. Because of that SOA inherits multiple advantages and disadvantages of Web services technology as well. This is especially important in the context of SOA security issues that somehow differ from "traditional" information system security principles.
On the implementation level SOA security issues are mostly based on Web services security solutions, like Trusted communication principles via SOAP, WS-Security, WS-SecureConversation; Trusted service via WS-Policy, WS-PolicyAssertions, WS-PolicyAttachment, WS-SecurityPolicy; WS-Authorization, WS-Privacy, and Trusted Web via WS-Trust, WS-Federation.
This article addresses the question of security mechanisms that are usually used and that can be used in Web services based SOA implementation from standardized as well as technical and implementation point of view. An overview of SOA security solutions is given, their positive and negative sides as well as compatibility problems in service-oriented architectures that are developed of components based on Web services technology and legacy software components.
|
|
Osnovni podaci:
Voditelji:
Željko Hutinski (Croatia), Marin Golub (Croatia)
Predsjednik Međunarodnog programskog odbora:
Petar Biljanović (Croatia)
Međunarodni programski odbor:
Alberto Abello Gamazo (Spain), Slavko Amon (Slovenia), Michael E. Auer (Austria), Mirta Baranović (Croatia), Ladjel Bellatreche (France), Nikola Bogunović (Croatia), Peter Brezany (Austria), Željko Butković (Croatia), Željka Car (Croatia), Matjaž Colnarič (Slovenia), Alfredo Cuzzocrea (Italy), Marina Čičin-Šain (Croatia), Dragan Čišić (Croatia), Todd Eavis (Canada), Maurizio Ferrari (Italy), Jasna Glavaš (Croatia), Matteo Golfarelli (Italy), Stjepan Golubić (Croatia), Francesco Gregoretti (Italy), Niko Guid (Slovenia), Yike Guo (United Kingdom), Ladislav Hluchy (Slovakia), Vlasta Hudek (Croatia), Željko Hutinski (Croatia), Mile Ivanda (Croatia), Robert Jones (Switzerland), Peter Kacsuk (Hungary), Aneta Karaivanova (Bulgaria), Miroslav Karasek (Czech Republic), Bernhard Katzy (Germany), Christian Kittl (Austria), Miljenko Krvišek (Croatia), Mladen Mauher (Croatia), Branko Mikac (Croatia), A. Min Tjoa (Austria), Jadranko F. Novak (Croatia), Jesus Pardillo (Spain), Nikola Pavešić (Slovenia), Ivan Petrović (Croatia), Radivoje S. Popović (Switzerland), Ognjen Prnjat (Greece), Slobodan Ribarić (Croatia), Karolj Skala (Croatia), Ivanka Sluganović (Croatia), Vanja Smokvina (Croatia), Ninoslav Stojadinović (Serbia), Aleksandar Szabo (Croatia), Laszlo Szirmay-Kalos (Hungary), Jadranka Šunde (Australia), Antonio Teixeira (Portugal), Roman Trobec (Slovenia), Ivana Turčić Prstačić (Croatia), Walter Ukovich (Italy), Mirko Varga (Croatia), Boris Vrdoljak (Croatia), Dalibor Vrsalović (Croatia), Robert Wrembel (Poland), Baldomir Zajc (Slovenia)
Područje djelovanja:
- Information Security Management
- Network security
- Authorization
- Public Key Infrastructure
- Crypto algorithms and security protocols
- Standardization in Security
Mjesto održavanja:
Opatija, često nazivana “jadranskom ljepoticom”, jedno je od najpopularnijih turističkih mjesta u Hrvatskoj s najdužom turističkom tradicijom na sjevero-istočnoj jadranskoj obali. Njezina ponuda uključuje dvadesetak hotela, velik broj restorana, te brojne sportske i rekreacijske sadržaje. Detaljnije informacije se mogu potražiti na www.opatija.hr i www.opatija-tourism.hr.
Prijava/Kotizacija:
|
PRIJAVA / KOTIZACIJE
|
CIJENA U EUR-ima
|
|
Prije 10.5.2010.
|
Poslije 10.5.2010.
|
| Članovi MIPRO HU i IEEE |
180
|
200
|
| Studenti (dodiplomski) te nastavnici osnovnih i srednjih škola |
100
|
110
|
| Ostali |
200
|
220
|
Kontakt:
Željko Hutinski
Fakultet organizacije i informatike
Pavlinska 2
42000 Varaždin, Hrvatska
Tel.: +385 42 213 232
Fax: +385 42 213 413
E-mail: zeljko.hutinski@foi.hr
Upozorenje
|
|
|
|
Upozorenje
|
|
|
|
|