Event program

Thursday, 5/23/2013 3:00 PM - 5:30 PM, Liburna, Hotel Admiral, Opatija Papers  3:00 PM - 3:15 PM O. Mirković (ERICSSON NIKOLA TESLA d.d., ZAGREB, Croatia) Security Evaluation in Cloud   While creating the cloud security architecture the opportunity arises to apply IT best practices and the principles of security for a particular domain and to solve a specific set of issues related to security, measurability being one of the hardest. The article explains a measurable model with set of controls for a cloud. Further this article enlists the set of tools that can be used to evaluate the security of private, public, community or hybrid cloud. 3:15 PM - 3:30 PM A. Donevski, S. Ristov, M. Gusev (Ss. Cyril and Methodius University, Faculty of Information Sciences and Computer Engineering, Skopje, Macedonia) Security Assessment of Virtual Machines in Open Source Clouds  A company security perimeter is impaired if virtual machines are migrated from on-premise to the cloud. Although cloud service provider (CSP) offers some security level to migrated virtual machines, mostly from outside the cloud, the cloud customer is challenged with newly raised security challenges due to multi-tenancy, i.e. the threat from other co-tenant virtual machines hosted inside the cloud. CSP also faces threats from all tenants in the cloud. Both CSP and the tenants can be compromised if some vulnerability exists. In this paper we analyze the security threats of the same virtual machine both from other tenants and outside of the cloud. Also, we compare the security level that the most common open source clouds provide for particular virtual machine. The security assessment is realized for virtual machines with different operating systems. 3:30 PM - 3:45 PM S. Groš (University of Zagreb, Zagreb, Croatia) Security Analysis of Croatia's Receipt Registration and Verification System  Beginning with 2013. a law in Croatia come into the force that requires owners of restaurants, café bars, and similar types of businesses that work with cash to register every receipt with a Tax Administration servers before issuing it to a customer. For the purpose of implementing the law APIS-IT, a Croatian IT company, developed a protocol based on XML, SOAP, and public key cryptography. They also implemented the server side system. It is a well known fact that developing protocols in general, and security protocols in particular, is a very tricky endeavor in which even the security professionals make mistakes. In this paper a security analysis of the protocol for receipt registration, the components of the system, and implementations is presented. Note that this is only a partial analysis, based on publicly available information, which doesn't include testings on live systems due to being illegal by the new Criminal law in Croatia. We identified two weaknesses of the current system. But the main problem of the system is the fact that many business owners are now open to different attacks and nothing has been done to remedy that situation. This is actually a broader problem since, with ever increasing number of on line services nothing is done to increase security awareness of people. 3:45 PM - 4:00 PM A. Klaić (Ured vijeća za nacionalnu sigurnost, Zagreb, Croatia), M. Golub (Fakultet elektrotehnike i računarstva, Zagreb, Croatia) Conceptual Information Modelling within the Contemporary Information Security Policies  The contemporary information security policy is analysed in the paper within the frameworks that are characterised by increased similarities among the information security requirements of different sectors of society, but also increased differences in comparison with the traditional approach to the security within the closed environments. Key factors of the information security policy: people, process, and technology, are closely related to the requirements and restrictions imposed by certain type of information. In that way the approach to conceptual information modelling becomes one of the central problems of contemporary information security policies. The paper elaborates the approach to the conceptual information modelling, stressing the requirements of both the protection and the sharing of information. It offers the taxonomy of the main terms, which is the base for the development of proposed conceptual model of the information definition and sharing. The conceptual model is based on the standard UML graphical notation that makes it easier to visualize and understand proposed model and the approach applied in the paper. The proposed model introduces formalized and more structured approach to this field in order to facilitate the development of the solutions that can keep up with the growing complexity of contemporary information security policies. 4:00 PM - 4:15 PM BREAK   4:15 PM - 4:30 PM I. Sedinić, Z. Lovrić (Hrvatski Telekom d.d., Zagreb, Croatia) Influence of established security governance and infrastructure on future security certifications  Abstract: In today business environment different security certificates are not any more “nice to have” feature but business prerequisite for service providers. PCI DSS certification is a must for card issuers and merchants and ISO27001 certification is very often prerequisite to qualify for ICT services offering. In this paper will be shown how proper security governance and security framework on which is built adequate security infrastructure could simplify and speed up certification process, while at the same time reduce cost of certification. Additionally, on examples of ISO27001 and PCI DSS, influence of one existing certificate on certification process for other will be analyzed. 4:30 PM - 4:45 PM K. Skračić, P. Pale, B. Jeren (Fakultet elektrotehnike i računarstva, Zagreb, Croatia) Knowledge based authentication requirements  The aim of this paper is to define a set of requirements for creating a secure user authentication method based on the user’s knowledge. The requirements address four issues in user authentication. The first refers to eavesdropping an authentication session and using the intercepted information in the next session. By repeating the recorded response an attacker may falsely authenticate himself as a legitimate user. The second issue is the ability to predict an authentication challenge by analyzing previous challenges. If an attacker can record a set of challenges over a long period, he may be able to learn the next challenge beforehand. The third issue is the guessability of correct responses to authentication challenges. An attacker may have multiple sources of information about the user. The correct response to a challenge should not be obvious from such sources. The fourth issue is the authentication server’s vulnerability. By this we mean any information system component that is used to authenticate users. If an attacker manages to gain complete access to the authentication server and its data, the user’s digital identity should not be compromised. 4:45 PM - 5:00 PM K. Hajdarević (Faculty of Electrical Engineering, University of Sarajevo, Sarajevo, Bosnia and Herzegovina), P. Allen (Open University, Milton Keynes, United Kingdom) A New Method for the Identification of Proactive Information Security Management System Metrics  In today’s business environments information is a most important asset for company’s or organisation’s short and long term sustainability. Because there are many different risks associated with information security more broad and formal approach in securing information assets is needed to be implemented such as ISO 27000 set of standards. To be successful in preventing effects of security breaches, proactive actions have to be planed in advance predefined, communicated and trained for each specific risk resolution situation. In this paper is presented approach for planning proactive actions supported with appropriate metrics based on ISO 27000 series of standards. 5:00 PM - 5:15 PM B. Vukelić, K. Škaron (Veleučilište u Rijeci, Rijeka, Croatia) Cyber Crime and Violation of Copyright  Rad se bavi problematikom računalnog kriminaliteta te ponajprije govori o svjesnosti ljudi o povredi autorskog prava. Zakoni vezani za autorska prava u stvarnom svijetu vrijede i u virtualnom svijetu. Problem se javlja pri kršenju tih zakona, koje može biti namjerno ili nenamjerno. Jedan od glavnih uzroka je manjak svjesnosti o njihovu postojanju. Za potrebe ovog rada provedeno je istraživanje metodom ankete na uzorku od 110 ispitanika (n = 110) različitog spola, dobi, obrazovanja i statusa. Rezultati istraživanja prikazani su kroz tri cjeline – općenito o računalnom kriminalu, intelektualno vlasništvo i autorska prava. This paper describes cyber crime and violation of copyright. All the copyright laws that have to be obeyed in the real world apply to the virtual world as well. The problem arises when people violate these laws, whether they are aware of it or not. One of the primary causes is the lack of awareness of the existence of copyright law. A group of 110 examinees, of different sex, age, education level and social status took part in a poll for the purposes of this research. The results are shown in three parts – cyber crime in general, intellectual property and copyright. 5:15 PM - 5:30 PM F. Gabela (BH Telecom d.d. Sarajevo, Sarajevo, Bosnia and Herzegovina) Pravna regulativa kompjuterskog kriminala s osvrtom na Bosnu i Hercegovinu  Razvoj informacionih tehnologija uticao je na povećanje broja krivičnih djela iz oblasti kompjuterskog kriminala. Porast broja krivičnih djela iz ove oblasti posebno se odnosi na one oblike izvršenja krivičnih djela sa elementima prekograničnog i internacionalnog kriminala. Unifikacija i efikasna međunarodna saradnja, osnovne su pretpostavke za bolju koordinaciju nadnacionalnih napora za suzbijanje ove vrste krivičnih djela. U radu su analizirani najčešći oblici kompjuterskog kriminala. Kompjuterski kriminal je relativno nova kategorija i nedovoljno je tretiran u pravnoj regulativi. Relevantna analiza pravne regulative nije moguća bez osvrta na Konvenciju o kompjuterskom kriminalu donijete od strane Savjeta Evrope i ukazivanja na njen značaj u globalnim okvirima. Bosna i Hercegovina je jedna od država koje su uvidjele potrebu za postavljanjem visokih standarda implementacije savremenih pravno-tehničkih instrumenata za borbu protiv zloupotrebe visokih tehnologija. Ono što je neophodno u suzbijanju kompjuterskog kriminala jeste utemeljen i stabilan pravni sistem sa jakom zakonskom regulativom.