ABSTRACT. Family Offices, the financial institutions that manage the finances and investments of very wealthy families, have a number of characteristics that make them a potentially hugely valuable target for cybercriminals. They not only possess substantial financial resources, but they are also disproportionately involved in the digital asset and cryptocurrency markets in ways that larger, more regulated financial institutions have historically not been. Due to their lack of external investors, they have much lower regulatory requirements than many other financial institutions, and thus often have smaller compliance and security staffs. Additionally, the personalized nature of their services can lead to unique vulnerabilities. Finally, high-net-worth individuals and wealthy families have concerns about public scrutiny, reputational risk, and regulatory scrutiny that could limit their willingness to report or publicize being victimized, or to cooperate with law enforcement in investigations. All this combines to make such institutions almost ideal victims from the perspective of a cybercriminal.

ABSTRACT. The exponential increase in cyberattacks in recent years has underscored the limitations of current detection mechanisms and the urgent need for more effective predictive models and methods in Cyber Threat Intelligence (CTI). In fact, many cybersecurity systems rely on threat intelligence to design their defense strategies and identify potential attacks at an early stage. However, threat information used in threat intelligence, often collected from Open Source Intelligence (OSINT), is manually analyzed to determine if it is relevant for proactive defense. Unfortunately, this approach is time-consuming and error-prone due to the large volume of daily shared data. To address these challenges, it is imperative to automate the process of threat information detection and analysis from OSINT sources such as Twitter, where vast amounts of data are continuously generated. In this paper, we propose an artificial intelligence based system for real-time analysis and detection of threat information within tweets. Our system leverages the capabilities of the Bidirectional Encoder Representations from Transformers (BERT) to analyze tweets and optimize a reinforcement learning algorithm, specifically, a Deep Q-Network (DQN), to make decisions on whether a tweet contains relevant threat information or not. The experimental results demonstrate that our system achieves high performance in terms of precision, recall, and F1 score, demonstrating its effectiveness in improving threat information detection on Twitter.

ABSTRACT. Ransomware attacks on financial institutions can have effects beyond the attacked institution itself. When the attacked institution is forced offline, other financial market participants are left unable to complete transactions or obtain information, disturbing normal operations of financial markets. In this paper, we argue that such spillover effects are an important aspect of ransomware attacks and that cybersecurity management should be concerned with them and their mitigation. We illustrate this using three recent cases of ransomware attacks by the LockBit group on financial institutions that had spillover effects on the wider financial market. We identify four lessons learned for market participants facing such spillovers: ensuring the quick substitution of blocked resources, preparing to execute automated processes manually, networking with industry associations, and actively involving regulators. Overall, we hope to raise awareness of spillover effects of ransomware attacks for cybersecurity research and practice.

ABSTRACT. Smart speaker adoption is on the rise, yet many people express privacy concerns regarding the invasive nature of these devices. Increasing adoption coupled with paradoxical behavior where people disclose information in spite of privacy concerns may leave smart speaker users susceptible to privacy invasion. To investigate the relationships between privacy concerns, usage and disclosure behavioural intentions in a smart speaker context, we developed a novel model that integrates the Technology Acceptance Model with the privacy calculus model. The model was tested using a quantitative cross-sectional survey. The data was analyzed using partial least squares structural equation modelling. The results indicate near full support for the model. The implications are that if more adoption and use were to take place, consumer perceptions of usefulness, ease of use and trust should be enhanced, a critical mass of users should be achieved, and perceived privacy risks and concerns related to these devices and services should be lowered.

ABSTRACT. Maritime cybersecurity is a growing concern due to the increasing number of cyberattacks in the sector in recent years. The complexity of the port and ship ecosystem, as well as the lack of awareness and training in the sector, pose significant cybersecurity challenges.

To address these issues, in this paper we describe ICoSSiuM, a cybersecurity simulator specifically tailored to demonstrate and evaluate the impact of attacks on maritime communications. We focus mainly on the study of the Automatic Identification System (AIS). This system, which is used by ships to broadcast various information about their identity, location, speed, and destination, is highly vulnerable to various cyber attacks. We also describe and test several attack scenarios that exploit the weaknesses of this communication system for disturbing maritime operations.

ABSTRACT. Many sophisticated cyber attack campaigns rely on penetrating multiple layers of the system architecture to achieve their goal. Thus, we need to build in security by evaluating the potential threats to the system at the design stage. Existing state-of-the-practice threat modeling tools are only able to identify isolated threats while state-of-the-art solutions require significant manual effort and expertise to encode the knowledge of the system and the attack steps. In this paper, we propose an automated framework that deals with those challenges by (1) taking in system architecture and data path diagrams as input, (2) modeling those diagrams as an expressive system multigraph, (3) encoding the knowledge of attack flows into a common language that is human-readable and machine-actionable, and (4) automatically generating attack paths using the encoded knowledge. We evaluate our framework on different system architectures of varying complexity and functionality and compare our generated attack paths with those constructed manually by security domain experts. Our results show that while we are limited by the attack flows encoded in our knowledge base, our framework allows more comprehensive attack paths to be found and enumerated. Furthermore, we expect that more security domain experts would be able to contribute to our knowledge base, thus expanding the set of attack paths that can be found.

ABSTRACT. Designing secure systems remains a challenging endeavour. To address this, we introduce an approach to enhance system security during the early design phase, targeting the creation of a system's behavioural view. We derived two sound security metrics, Critical Element Risk Index (CERI) and Corruption Propagation Potential (CPP). These metrics inform a system's Behavioural Security Posture (BSP), which we define as a system's resilience to knowable threats based on its flows, as determined by its security policies and threat model. To best support designers, we expanded on previous work and updated our BSP analysis tool, Dubhe. In this expanded approach, Dubhe (1) identifies threats and mitigation patterns present within UML activity diagrams, (2) calculates a system's average CERI and CPP through pattern matching and depth-first flow traversal, and (3) presents a system's BSP to designers, alongside identified threats and recommended mitigation strategies. We demonstrate this approach by applying it to an Online Seller of Merchandise (OSM) system, analyzing a login use case to ensure target security requirements are adequately addressed. Using the information from Dubhe, designers have the tools and support needed to make meaningful security improvements to their systems during the design phase of the SDLC.

ABSTRACT. Securely trace data flows between mobile collectors and mobile or static data hubs is an important challenge with wide industrial applications. In this paper we propose a secure architecture for transmission of data from a mobile collector to a data hub, traced through a transaction including an evidence of the collected data stored in a blockchain via a smart contract. The architecture of the embedded mobile collector integrates a Trusted Execution Environment and a Trusted Platform Module to secure both data transmission to the data hub and on-board built transactions. We highlight a bottleneck, as the rate at which transactions are recorded on the blockchain side triggers the issue of evidences on the embedded device. Therefore, we evaluate via extensive experiments the trade-off between the storage time on blockchain and the number of concurrent transactions in order to challenge the scaling up of our architecture. Our experiments are performed on top of Hyperledger Besu, a widely-used enterprise Ethereum client having QBFT as consensus core. Hyperledger Besu QBFT exhibits highly consistent performance in terms of both transaction time and gas consumption. The system effectively handles increases in client concurrency without significant performance degradation, making it suitable for our use case.

ABSTRACT. As software architectures become increasingly complex, securing them against cybersecurity attacks has become a critical and challenging aspect of application design. This paper introduces a formal framework for the automatic enforcement of security patterns in software architecture, specifically targeting improper authorization vulnerabilities. Improper authorization occurs when access to sensitive resources violates the current access control policy. Using the Alloy framework, our approach identifies key architectural points from detected vulnerabilities. These architectural points are then used to guide the effective enforcement of appropriate security patterns that mitigate the identified vulnerabilities. We demonstrate the proposed approach through a case study in a vulnerable web application, where an authorization pattern is enforced to prevent unauthorized access. By automating this enforcement process, our method contributes to formalize the security design by reducing the reliance on manual security analysis.

ABSTRACT. The ubiquitous and pervasive nature of Internet of Things (IoT) has raised concerns over storage and transmission of sensitive personal data. Therefore, developing technologies to preserve privacy during data distribution in IoT is paramount for security researchers. Until now, the data owners have had little to no control over their private data collected by the IoT devices, which is stored with proprietary cloud service providers and possibly shared among third parties without the consent of the data owners. This happens primarily because the privacy policies of the storage and sharing service providers are not fully transparent as well as difficult to understand. Moreover, the service providers are often than not, keen to analyze and share personal information for their own benefit. As a solution to the privacy problem, this paper proposes a novel approach to combine privacy preserving sticky policy approach with the Attribute-Based Encryption (ABE) technique with the goal of enhancing data control for owners and allowing fine-grained sharing of data. The technique described in this paper utilizes Proxy Re-Encryption (PRE) of transmitted data which prevents even the data storage server from being able to decrypt it. We present our Light-SABRE (Lightweight Sticky Attribute-Based proxy Re-Encryption) architecture which effectively combines the above-mentioned approaches to provide a platform for a private data distribution system for IoT devices.

ABSTRACT. Can large language models serve as valuable tools in cybersecurity tasks? This study explores the breadth of knowledge that large language models (LLMs), including GPT-4, LLaMA 3.1, Mistral-large, and Gemini-1.5, possess in the field of cybersecurity and their potential to understand and solve critical cybersecurity operations. These operations include tasks such as incident response, threat identification, and the ability to address complex issues related to cybersecurity defense and analysis. To rigorously evaluate this potential, we propose a systematic evaluation of these models by defining a benchmark framework. Our evaluation focuses on two main categories: knowledge (theoretical understanding) and skills (practical application), covering key areas of cybersecurity. The responses of the models are assessed using tailored metrics for each type of question. Our findings reveal variability in performance between the different LLMs and cybersecurity domains, highlighting both their strengths and limitations. This work offers a foundation for future research and a standardized approach to the evaluation of LLMs in cybersecurity.

ABSTRACT. As Internet of Things (IoT) devices, drones are among the most popular unmanned aerial vehicles (UAVs), equipped with multiple sensors, cameras, and communication systems. These components expose drones to many critical vulnerabilities, which raise the need to implement effective threat detection while operating them. This study investigates a wifi-based drone to comprehensively assess its vulnerabilities and develop anomaly detection mechanisms using different unsupervised and incremental supervised machine learning techniques. Two types of data were collected: benign data from legitimate actions and attack data comprising nine 9 distinct types of attacks, with an additional 5 sub- categories, totaling 14 types. Feature extraction and engineering were performed based on scripts from the Canadian Institute for Cybersecurity (CIC), which were modified to suit the specific needs of this work. The anomaly detector was formulated after comparing three unsupervised machine learning algorithms: Isolation Forest, Local Outlier Factor (LOF), and Elliptic Envelope, through extensive performance evaluations and analyses. In addition to evaluating these three algorithms, an incremental supervised ML model, specifically the adaptive random forest, was also explored. The study demonstrated the effectiveness of these algorithms in detecting anomalies and enhancing the security of drones. The findings also highlight the critical role of robust feature engineering and careful algorithm selection in developing a reliable anomaly detection system for UAVs.

ABSTRACT. Security control selection is a risk management activity which involves selecting security controls that will most effectively protect a given system. Given that numerous constraints must be considered during control selection, various approaches have been proposed to assist with this decision. However, even with the support of automated solutions, the scalability of these approaches is limited by the underlining complexity of this problem. As a result, in this work, we create a tool that enables scalable automation of a previously proposed game-theoretic approach for control selection. The scalability is achieved through the development of a novel algorithm that finds suggested security control combinations for a system while considering control dependencies and budgetary constraints. As the problem addressed by the algorithm is a variation of the bounded 0-1 knapsack problem with dependencies between items, we prove the functionality of the algorithm and demonstrate that it has computational complexity O(n) in special cases. Lastly, to demonstrate the scalability of the automated solution, we apply the approach using the tool to an illustrative example of a large Canadian military system, demonstrating its advantage over a manual application of the approach.