Visible to the public Biblio

Filters: Keyword is least privilege  [Clear All Filters]
2018-05-09
Jillepalli, A. A., Leon, D. C. d, Steiner, S., Sheldon, F. T., Haney, M. A..  2017.  Hardening the Client-Side: A Guide to Enterprise-Level Hardening of Web Browsers. 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech). :687–692.
Today, web browsers are a major avenue for cyber-compromise and data breaches. Web browser hardening, through high-granularity and least privilege tailored configurations, can help prevent or mitigate many of these attack avenues. For example, on a classic client desktop infrastructure, an enforced configuration that enables users to use one browser to connect to critical and trusted websites and a different browser for un-trusted sites, with the former restricted to trusted sites and the latter with JavaScript and Plugins disabled by default, may help prevent most JavaScript and Plugin-based attacks to critical enterprise sites. However, most organizations, today, still allow web browsers to run with their default configurations and allow users to use the same browser to connect to trusted and un-trusted sites alike. In this article, we present detailed steps for remotely hardening multiple web browsers in a Windows-based enterprise, for Internet Explorer and Google Chrome. We hope that system administrators use this guide to jump-start an enterprise-wide strategy for implementing high-granularity and least privilege browser hardening. This will help secure enterprise systems at the front-end in addition to the network perimeter.
2017-05-22
Elliott, Aaron, Knight, Scott.  2016.  Start Here: Engineering Scalable Access Control Systems. Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies. :113–124.

Role-based Access Control (RBAC) is a popular solution for implementing information security however there is no pervasive methodology used to produce scalable access control systems for large organizations with hundreds or thousands of employees. As a result ten engineers will likely arrive at ten different solutions to the same problem where there is no right or wrong answer but there is both an immediate and long term cost. Moreover, they would have difficulty communicating the important aspects of their design implementations to each other. This is an interesting deficiency because despite their diversity, large organizations are built upon two key concepts, roles and responsibilities, where a role like Departmental Chair is identified and assigned responsibilities. In this paper, our objective is to introduce ORGODEX, a new model and practical methodology for engineering scalable RBAC systems in large organizations where employees require access to information on a need to know basis. First, we motivate the requirement for a new RBAC dichotomy, distinguishing between roles and responsibilities. Next, we introduce our new model for describing and reasoning about RBAC systems with this new dichotomy. Finally, we produce a new iterative methodology for engineering scalable access control systems.