D. A. Flores

Hybrid Logical Clocks for Database Forensics: Filling the Gap between Chain of Custody and Database Auditing (Article)

2020-01-23T21:30:00.000-08:00

The18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)

Abstract

Database audit records are important for investigating suspicious actions against transactional databases. Their admissibility as digital evidence depends on satisfying Chain of Custody (CoC) properties during their generation, collection and preservation in order to prevent their modification, guarantee action accountability, and allow third-party verification. However, their production has relied on auditing capabilities provided by commercial database systems which may not be effective if malicious users (or insiders) misuse their privileges to disable audit controls, and compromise their admissibility. Hence, in this paper, we propose a forensically-aware distributed database architecture that implements CoC properties as functional requirements to produce admissible audit records. The novelty of our proposal is the use of hybrid logical clocks, which compared with a previous centralised vector-clock architecture, has evident advantages as it (i) allows for more accurate provenance and causality tracking of insider actions, (ii) is more scalable in terms of system size, and (iii) although latency is higher (as expected in distributed environments), 70 per cent of user transactions are executed within acceptable latency intervals.

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2019.00038

PhD Annual Progress Report - Y3

2018-07-27T22:18:00.000-07:00

This is my last research report before submission 😀😉

Implementing Chain of Custody Requirements in Database Audit Records for Forensic Purposes (Article)

2017-09-11T03:26:00.000-07:00

The 16th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-17, 2 August 2017.

Abstract

During forensic database investigations, audit records become a crucial evidential element; particularly, when certain events can be attributed to insider activity. However, traditional reactive forensic methods may not be suitable, urging the adoption of proactive approaches that can be used to ensure accountability through audit records whilst satisfying Chain of Custody (CoC) requirements for forensic purposes. In this paper, role segregation, evidence provenance, event time- liness and causality are considered as CoC requirements in order to implement a forensically ready architecture for the proactive generation, collection and preservation of database audit records that can be used as digital evidence for the investigation of insider activity. Our proposal implements triggers and stored procedures as forensic routines in order to build a vector-clock- based timeline for explaining causality in transactional events recorded in audit tables. We expect to encourage further work in the ﬁeld of proactive digital forensics and forensic readiness; in particular, for justifying admissibility of audit records under CoC restrictions.

DOI: 10.1109/Trustcom/BigDataSE/ICESS.2017.299

Proactive Database Forensics: Chain of Custody Requirements for Database Audit Records (WPCCS-17)

2017-07-06T13:28:00.001-07:00

Presented in WPCCS-17 on 30 June 2017.

Abstract: In forensic database investigations, audit records are important evidence for analysing malicious activities carried out by trusted employees or insiders who may have misused their privileged access to sensitive transactional information. Our research proposes a proactive forensic approach for the generation, collection and preservation of audit records related to insider activity in order to ensure accountability whilst satisfying Chain of Custody (CoC) requirements. Hence, role segregation, evidence provenance, event timeliness and causality are considered as functional requirements for the implementation of a forensically ready architecture to proactively investigate insider activity. This architecture implements triggers and stored procedures as forensic routines for building a vector-clock-based timeline in order to explain causality in suspicious transactional events that can be attributed to malicious insiders.

WPCCS-17 Poster from Denys A. Flores

Bring Your Own Disclosure: Analysing BYOD Threats to Corporate Information (Article)

2017-02-09T09:09:00.000-08:00

The 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 25 August 2016.

Abstract

Mobile device consumerisation has introduced the Bring-Your-Own-Device (BYOD) trend to the organisational context, allowing employees to work using their personal devices. However, as personal mobile devices are perceived as less secure than those provided by the organisation, BYOD has risen security concerns about corporate information being accessed by mobile devices from inside and outside the corporate perimeter. Moreover, this uncontrolled mobile device activity makes it difficult to differentiate external (outsider) malicious activity from reckless/naive employee (insider) behaviour, preventing effective correlation of unauthorised actions with the perpetrators. In this paper, a STRIDE-based BYOD Threat Model is proposed to analyse BYOD Threat Interactions from inside and outside the corporate perimeter. Our research contributes to a better understanding and awareness about the influence of BYOD Threats on disclosure and contamination of corporate information, encouraging future work in the field of BYOD security and digital forensics in order to protect information and manage an increasing number of evidence sources.

DOI: 10.1109/TrustCom.2016.0169

An integrated model for ICT Governance and Management applied to the Council for Evaluation, Accreditation and Quality Assurance of Higher Education Institutions in Ecuador (CEAACES)

2015-12-04T20:00:00.000-08:00

IEEE International Conference on Computing, Communication and Security (ICCCS), 4 December 2015
Authors: C. W. Montenegro, D. A. Flores

Abstract

As an effect of the modernization policy in the administrative processes inside the Ecuadorean Central Government, the usage of Information and Communication Technologies (ICTs) has increased during the last years within more than 300 of the most important and high-ranked public institutions. Likewise, the citizen access to Internet and e-Government services has grown due to the democratization of the governmental ICT platform to ensure access to the most important public services, including those offered by Higher Education Institutions (HEIs). However, the applicable regulatory and legal framework in the public sector has very little compliance with governance and management considerations. Our work develops a combined model for ICT governance and management based on academic models for governance and strategic alignment, aided by professional practices in the field, fully compliant with the regulatory mechanisms that operate within the Central Government of Ecuador. Also, our work analyzes the results, limitations and future work regarding the applicability of this model inside the Council for Evaluation, Accreditation and Quality Assurance of Higher Education Institutions (CEAACES) in order to support the process of continuous improvement of public higher education in Ecuador.

DOI: 10.1109/CCCS.2015.7374158

Conozca cómo evadir el ataque de los ‘hackers'

2015-07-24T20:00:00.000-07:00

Diario el Comercio (ECU), 24 July 2015

Conozca cómo evadir el ataque de los hackers from Denys A. Flores

Memories 2014 - Campus Party Quito 4

2014-11-18T07:45:00.000-08:00

Memorias del Campus Party Quito 2014 from Denys A. Flores

An Authentication and Audit Architecture for Enhancing Security on eGovernment Services

2014-03-21T20:00:00.000-07:00

IEEE 1st International Conference on eDemocracy & eGovernment - ICEDEG 2014, 21 March 2014

Author: D. A. Flores

Abstract

eGovernment deploys governmental information and services for citizens and general society. As the Internet is being used as underlying platform for information exchange, these services are exposed to data tampering and unauthorised access as main threats against citizen privacy. These issues have been usually tackled by applying controls at application level, making authentication stronger and protecting credentials in transit using digital certificates. However, these efforts to enhance security on governmental web sites have been only focused on what malicious users can do from the outside, and not in what insiders can do to alter data straight on the databases. In fact, the lack of security controls at back-end level hinders every effort to find evidence and investigate events related to credential misuse and data tampering. Moreover, even though attackers can be found and prosecuted, there is no evidence and audit trails on the databases to link illegal activities with identities. In this article, a Salting-Based Authentication Module and a Database Intrusion Detection Module are proposed as enhancements to eGovernment security to provide better authentication and auditing controls.

DOI: 10.1109/ICEDEG.2014.6819952

Memories 2013 - Campus Party Quito 3

2013-09-12T07:32:00.000-07:00

Memorias del Campus Party Quito 2013 from Denys A. Flores

A Social Engineering Discussion about Privacy Attacks and Defences in Web Browsers and Social Networks

2013-07-05T20:00:00.000-07:00

8th Congress of Science and Technology - ESPE 2013 - ISSN 1390-4663, 05 July 2013
Author: D. A. Flores

Abstract

Social engineering is the human side of hacking involving deliberate actions to violate privacy by persuading an individual to disclose private information. On the other hand, even when technical hacking and social engineering techniques are viewed as two different threats, hackers use the technology available to create sophisticated privacy attacks, like the Man-In-The-Middle attack, by combining technical skills and psychological techniques. Hence, this article reviews previous work in the field of security and privacy, and explores the technical and psychological aspects of social engineering in order to discuss their implication in social-engineering-based privacy
attacks and defences considering web browsers and social networks.

Full Access

An Anti-Money Laundering Methodology: Financial Regulations, Information Security and Digital Forensics Working Together

2013-02-27T09:23:00.000-08:00

Journal of Internet Services and Information Security, February 2013
Authors: D. A. Flores, O. Angelopoulou, R.J. Self

Abstract

Analysing large amounts of financial information within databases can be hardly accomplished when dealing with money laundering. The main reason is the lack of digital forensics and proper database analysis procedures within the anti-money laundering strategies of financial institutions. Also, analysing single or grouped financial events related to money laundering is difficult when the Know-Your-Customer Policies in these institutions are not enforced, or even used as evidentiary instruments to gather digital evidence and track suspicious customers through the whole investigation life cycle. Even though the relevant data sources to get information from can be identified and used to create Suspicious Activity Reports, they need to be protected from money laundering events, and by these means, prevent their confiscation. Hence, in this article, we propose a methodology for combining digital forensics and database analysis in order to enhance money laundering detection. Additionally, in order to tackle the lack of synergy between the KYC policies and Information Security requirements, we enhance our previous model by analysing the FATF recommendations, the Basel Frameworks along with the BS ISO/IEC 27001, 27002 and 27037 standards in order to incorporate some of their best-practices into a methodology for money laundering detection model to deliver a set of requirements and activities for customer verification and financial evidence extraction before, during, and after a suspicious activity takes place.

Full Access

Detection and Mitigation of MITM Attacks in Storage Cloud Infrastructures

2013-01-05T09:26:00.000-08:00

CyberSecurity for the Next Generation, Kaspersky International Student Conference, 05 January 2013

Kaspersky csng 2013 from Denys A. Flores
Original Screenshot from www.kaspersky[dot]co[dot]za
Last Accessed: 18/01/2018

Authors: J. Carmilema, D. Medrano, D. A. Flores

Abstract

Cloud computing is changing IT service provision around the world, not only within large, but also small enterprises. These are benefited by tremendous advantages in cost reduction and customer satisfaction; however, behind this, there is a constant concern about risk management and vulnerability analysis when IT services are placed in the Cloud with thirdparties managing the security of the core-business infrastructure. Moreover, when moving to the Cloud, providers struggle to ensure high integrity, availability and confidentiality of information because Cloud Services are still exposed to traditional threats due to the inherited protocols working underneath, which have not evolved as quick as these services. In this article, we briefly explain some important concepts of Cloud Computing in order to understand the impact of ARP Spoofing, via a Man-In-The-Middle Attack (MITM) within a small experimental Storage Cloud environment so that a possible way to mitigate this particular problem to guarantee secure connections can be provided.

Combining Digital Forensic Practices and Database Analysis as an Anti-Money Laundering Strategy for Financial Institutions

2012-09-01T09:35:00.000-07:00

1st International Workshop on Cybercrimes and Emerging Web Environments (CEWE-2012), conj.with the 3rd International Conference on Emerging Intelligent Data and Web Technologies (EIDWT-2012), Bucharest, Romania. 19 - 21 September 2012
Authors: D. A. Flores, O. Angelopoulou, R. J. Self

Abstract

Digital forensics is the science that identify, preserve, collect, validate, analyse, interpret, and report digital evidence that may be relevant in court to solve criminal investigations. Conversely, money laundering is a form of crime that is compromising the internal policies in financial institutions, which is investigated by analysing large amount of transactional financial data. However, the majority of financial institutions have adopted ineffective detection procedures and extensive reporting tasks to detect money laundering without incorporating digital forensic practices to handle evidence. Thus, in this article, we propose an anti-money laundering model by combining digital forensics practices along with database tools and database analysis methodologies. As consequence, admissible Suspicious Activity Reports (SARs) can be generated, based on evidence obtained from forensically analysing database financial logs in compliance with Know-Your-Customer policies for money laundering detection.

DOI: 10.1109/EIDWT.2012.22

CONDOR: A Hybrid IDS to Offer Improved Intrusion Detection

2012-06-27T09:42:00.000-07:00

3rd International Symposium on Mobile and Wireless Network Security (MWNS-12) in conj. with TrustCom 2012: The 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Liverpool, 25-27th June 2012.

Authors: D. J. Day, D. A. Flores, H. S. Lallie

Abstract

Intrusion Detection Systems are an accepted and very useful option to monitor, and detect malicious activities. However, Intrusion Detection Systems have inherent limitations which lead to false positives and false negatives; we propose that combining signature and anomaly based IDSs should be examined. This paper contrasts signature and anomaly-based IDSs, and critiques some proposals about hybrid IDSs with signature and heuristic capabilities, before considering some of their contributions in order to include them as main features of a new hybrid IDS named CONDOR (COmbined Network intrusion Detection ORientate), which is designed to offer superior pattern analysis and anomaly detection by reducing false positive rates and administrator intervention.

DOI: 10.1109/TrustCom.2012.110