research-article

Investigating System Operators' Perspective on Security Misconfigurations

Authors:

Constanze Dietrich,

Katharina Krombholz,

Kevin Borgolte,

Tobias FiebigAuthors Info & Claims

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 1272 - 1289

https://doi.org/10.1145/3243734.3243794

Published: 15 October 2018 Publication History

Abstract

Nowadays, security incidents have become a familiar "nuisance," and they regularly lead to the exposure of private and sensitive data. The root causes for such incidents are rarely complex attacks. Instead, they are enabled by simple misconfigurations, such as authentication not being required, or security updates not being installed. For example, the leak of over 140 million Americans' private data from Equifax's systems is among most severe misconfigurations in recent history: The underlying vulnerability was long known, and a security patch had been available for months, but was never applied. Ultimately, Equifax blamed an employee for forgetting to update the affected system, highlighting his personal responsibility. In this paper, we investigate the operators' perspective on security misconfigurations to approach the human component of this class of security issues. We focus our analysis on system operators, who have not received significant attention by prior research. Hence, we investigate their perspective with an inductive approach and apply a multi-step empirical methodology: (i), a qualitative study to understand how to approach the target group and measure the misconfiguration phenomenon (ii) a quantitative survey rooted in the qualitative data. We then provide the first analysis of system operators' perspective on security misconfigurations, and we determine the factors that operators perceive as the root causes. Based on our findings, we provide practical recommendations on how to reduce security misconfigurations' frequency and impact.

Supplementary Material

MP4 File (p1272-feibig.mp4)

Download
385.58 MB

References

[1]

A. Bühl. Stellungnahme zum Antisemitismus des Peter Beuth (1781 -- 1853). June 1, 2017. url: http://www.beuth-hochschule.de/fileadmin/oe/praesidium/portraet/beuth-diskurs/Beuth_Stellungnahme_Buehl.pdf.

[2]

T. Moore. "On the Harms Arising from the Equifax Data Breach of 2017". In: International Journal of Critical Infrastructure Protection 19.C (Dec. 2017).

Digital Library

[3]

D. Hedley and M. Jacobs. "The shape of things to come: the Equifax breach, the GDPR and open-source security". In: Computer Fraud & Security 2017.11 (Nov. 2017).

[4]

R. Brandom. Former Equifax CEO blames breach on a single person who failed to deploy patch. Oct. 3, 2017. url: https://www.theverge.com/2017/10/3/16410806/equifax-ceo-blame-breach-patch-congress-testimony (visited on 11/29/2017).

[5]

K. Borgolte, T. Fiebig, S. Hao, C. Kruegel, and G. Vigna. "Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates". In: Proceedings of the 25th Network and Distributed System Security Symposium (NDSS). Feb. 2018.

Digital Library

[6]

T. Fiebig, A. Feldmann, and M. Petschick. "A One-Year Perspective on Exposed In-memory Key-Value Stores". In: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense (SafeConfig). Oct. 24, 2016.

Digital Library

[7]

B. Rossi. Major security alert as 40,000 MongoDB databases left unsecured on the Internet. Feb. 10, 2015. url: http://www.information-age.com/major-security-alert-40000-mongodb-databases-left-unsecured-internet-123459001/ (visited on 10/25/2017).

[8]

S. Ragan. MongoDB configuration error exposed 93 million Mexican voter records. Apr. 22, 2016. url: https://www.csoonline.com/article/3060204/security/mongodb-configuration-error-exposed-93-million-mexican-voter-records.html (visited on 10/25/2017).

[9]

K. Krombholz, W. Mayer, M. Schmiedecker, and E. Weippl. ""I Have No Idea What I'm Doing"-On the Usability of Deploying HTTPS". In: Proceedings of the 26th USENIX Security Symposium (USENIX Security). Aug. 2017. url: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/krombholz.

Digital Library

[10]

T.Spring. Misconfigured Memcached Servers Abused to Amplify DDoS Attacks. Threat-Post. Feb. 28, 2018. url: https://threatpost.com/misconfigured-memcached-servers-abused-to-amplify-ddos-attacks/130150/ (visited on 08/05/2018).

[11]

W. Meng, C. Qian, S. Hao, K. Borgolte, G. Vigna, C. Kruegel, and W. Lee. "Rampart: Protecting Web Applications from CPU-Exhaustion Denial-of-Service Attacks". In: Proceedings of the 27th USENIX Security Symposium (USENIX Security). Aug. 2018. url: https://www.usenix.org/conference/usenixsecurity18/presentation/meng.

Digital Library

[12]

K. Borgolte, C. Kruegel, and G. Vigna. "Delta: Automatic Identification of Unknown Web-based Infection Campaigns". In: Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security (CCS). Nov. 2013.

Digital Library

[13]

K. Borgolte, C. Kruegel, and G. Vigna. "Meerkat: Detecting Website Defacements through Image-based Object Recognition". In: Proceedings of the 24th USENIX Security Symposium (USENIX Security). Aug. 2015. url: https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/borgolte.

Digital Library

[14]

F. Maggi, M. Balduzzi, R. Flores, L. Gu, and V. Ciancaglini. "Investigating Web Defacement Campaigns at Large". In: Proceedings of the 13th ACM ASIA Conference on Computer and Communications Security (ASIACCS). June 2018.

Digital Library

[15]

M. Bailey, D. Dittrich, E. Kenneally, and D. Maughan. "The Menlo Report". In: IEEE Security & Privacy 10.2 (Mar. 2012).

Digital Library

[16]

D. Dittrich and E. Kenneally. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Tech. rep. U.S. Department of Homeland Security, Aug. 2012. url: https://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCORE-20120803_1.pdf.

[17]

C. Herley and P. C. van Oorschot. "SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit". In: Proceedings of the 38th IEEE Symposium on Security & Privacy (S&P). May 2017.

[18]

Provalis Research. QDA Miner Lite -- Free Qualitative Data Analysis Software. url: https://provalisresearch.com/products/qualitative-data-analysis-software/freeware/ (visited on 09/13/2017).

[19]

S. B. Merriam and E. J. Tisdell. Qualitative Research: A Guide to Design and Implementation. 4th ed. Jossey-Bass, Aug. 24, 2015. isbn: 978--1119003618.

[20]

K. Charmaz. Constructing Grounded Theory: A Practical Guide through Qualitative Analysis. SAGE Publications, Jan. 27, 2006. isbn: 978-0761973522.

[21]

J. Lazar, J. H. Feng, and H. Hochheiser. Research Methods in Human-Computer Interaction. 2nd ed. Morgan Kaufmann, May 3, 2017. isbn: 978-0128053904.

Digital Library

[22]

B. G. Glaser and A. L. Strauss. The Discovery of Grounded Theory: Strategies for Qualitative Research. Transaction Publishers, 1967. isbn: 978-0202302607.

[23]

A. Strauss and J. Corbin. Basics of Qualitative Research: Grounded Theory Procedures and Techniques. SAGE Publications, Sept. 1, 1990. isbn: 978-0803932517.

[24]

B. G. Glaser. Basics of Grounded Theory Analysis: Emergence vs Forcing. Sociology Press, Dec. 1, 1992. isbn: 978--1884156007.

[25]

A. Naiakshina, A. Danilova, C. Tiefenau, M. Herzog, S. Dechand, and M. Smith. "Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study". In: Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (CCS). Oct. 2017.

Digital Library

[26]

V. Braun and V. Clarke. "Using thematic analysis in psychology". In: Qualitative Research in Psychology 3.2 (2006).

[27]

Y. Acar, S. Fahl, and M. L. Mazurek. "You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users". In: Proceedings of the 1st IEEE Cybersecurity Development (SecDev). Nov. 2016.

[28]

G. Halprin. The Work Flow of System Administration. Tech. rep. The SysAdmin Group, June 25, 1998. url: http://citeseerx.ist.psu.edu/viewdoc/download?doi= 10.1.1.126.3466&rep=rep1&type=pdf.

[29]

USENIX LISA. USENIX Special Interest Group for Sysadmins: The 2011 Salary Survey. 2011. url: https://www.usenix.org/sysadmin-salary-surveys (visited on 11/29/2017).

[30]

R. Dhamija, J. D. Tygar, and M. Hearst. "Why Phishing Works". In: Proceedings of the 2006 ACM SIGCHI Conference on Human Factors in Computing Systems. Apr. 2006.

Digital Library

[31]

Y. Acar, M. Backes, S. Fahl, D. Kim, M. L. Mazurek, and C. Stransky. "You Get Where You're Looking For: The Impact Of Information Sources on Code Security". In: Proceedings of the 37th IEEE Symposium on Security & Privacy (S&P). May 2016.

[32]

J. J. Francis, M. Johnston, C. Robertson, L. Glidewell, V. Entwistle, M. P. Eccles, and J. M. Grimshaw. "What is an adequate sample size? Operationalising data saturation for theory-based interview studies". In: Psychology & Health 25.10 (2010).

[33]

T. Fiebig, F. Lichtblau, F. Streibelt, T. Krüger, P. Lexis, R. Bush, and A. Feldmann. "Learning from the Past: Designing Secure Network Protocols". In: Cybersecurity Best Practices. 2018.

[34]

Pokemon Institute. 2017 Cost of Data Breach Study: Global Overview. Tech. rep. IBM, July 2017. url: https://www.ibm.com/security/data-breach.

[35]

Google LLC. Google Forms - create and analyze surveys, for free. url: https://www.google.com/forms/about/ (visited on 10/03/2017).

[36]

R. Likert. "A Technique for the Measurement of Attitudes". In: Archives of Psychology 22.140 (1932). LCCN: 33012634.

[37]

T.-M. Karjalainen and D. Snelders. "Designing Visual Recognition for the Brand". In: Journal of Product Innovation Management 27.1 (Jan. 2010).

[38]

C. Dietrich. Caught between Security and Time Pressure. Presentation at RIPE 74. May 9, 2017. url: https://ripe74.ripe.net/archives/video/54/.

[39]

C. Dietrich. On the Operators' Perspective on Security Misconfigurations -- The Survey. RIPE Labs Blog. July 17, 2017. url: https://labs.ripe.net/Members/constanze_dietrich/on-the-operators-perspective-on-security-misconfigurations-the-survey.

[40]

C. Dietrich. Survey: Operators' perspective on security misconfigurations. APNIC Blog. Aug. 1, 2017. url: https://blog.apnic.net/2017/08/01/survey-operators-perspective-security-misconfigurations/.

[41]

Stack Exchange. Server Fault. url: https://serverfault.com/(visitedon10/23/2017).

[42]

Stack Exchange. Super User. url: https://superuser.com/ (visited on 10/23/2017).

[43]

G. Brunello and R. Winter-Ebmer. "Why Do Students Expect to Stay Longer in College? Evidence from Europe". In: Economics Letters 80.2 (Aug. 2003).

[44]

T. Fiebig. "An empirical evaluation of misconfiguration in Internet services". PhD thesis. Technical University of Berlin, Berlin, Germany, Sept. 8, 2017.

[45]

J. A. Holstein and J. F. Gubrium. The Active Interview. SAGE Publications, Apr. 20, 1995. isbn: 978-0803958951.

[46]

J.-U. Schröder-Hinrichs, E. Hollnagel, and M. Baldauf. "From Titanic to Costa Concordia-a century of lessons not learned". In: WMU Journal of Maritime Affairs 11.2 (Oct. 1, 2012).

[47]

M. Kührer, T. Hupperich, C. Rossow, and T. Holz. "Exit from Hell? Reducing the Impact of Amplification DDoS Attacks". In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security). Aug. 2014. url: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kuhrer.

Digital Library

[48]

J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, M. Bailey, and M. Karir. "Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks". In: Proceedings of the 2014 Internet Measurement Conference (IMC). Nov. 2014.

Digital Library

[49]

D. Springall, Z. Durumeric, and J. A. Halderman. "FTP: The Forgotten Cloud". In: Proceedings of the 46th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). June 2016.

[50]

J. Ren, M. Lindorfer, D. Dubois, A. Rao, D. Choffnes, and N. Vallina-Rodriguez. "Bug Fixes, Improvements, ... and Privacy Leaks -- A Longitudinal Study of PII Leaks Across Android App Versions". In: Proceedings of the 25th Network and Distributed System Security Symposium (NDSS). Feb. 2018.

[51]

R. K. Konoth, E. Vineti, V. Moonsamy, M. Lindorfer, C. Kruegel, H. Bos, and G. Vigna. "MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense". In: Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security (CCS). Oct. 2018.

Digital Library

[52]

Y. Cao, Y. Shoshitaishvili, K. Borgolte, C. Kruegel, G. Vigna, and Y. Chen. "Protecting Web Single Sign-on against Relying Party Impersonation Attacks through a Bi-directional Secure Channel with Authentication". In: Proceedings of the 17th International Symposium on Recent Advances in Intrusion Detection (RAID). Sept. 2014.

[53]

O. Gasser, Q. Scheitle, S. Gebhard, and G. Carle. "Scanning the IPv6 Internet: Towards a Comprehensive Hitlist". In: Proceedings of the 2016 International Workshop on Traffic Monitoring and Analysis (TMA). arXiv: 1607.05179v1. Apr. 2016.

[54]

T. Fiebig, K. Borgolte, S. Hao, C. Kruegel, and G. Vigna. "Something From Nothing (There): Collecting Global IPv6 Datasets From DNS". In: Proceedings of the 12th Passive and Active Measurement (PAM). Mar. 2017.

[55]

K. Borgolte, S. Hao, T. Fiebig, and G. Vigna. "Enumerating Active IPv6 Hosts for Large-scale Security Scans via DNSSEC-signed Reverse Zones". In: Proceedings of the 39th IEEE Symposium on Security & Privacy (S&P). May 2018.

[56]

J. Czyz, M. Luckie, M. Allman, and M. Bailey. "Don't Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy". In: Proceedings of the 23rd Network and Distributed System Security Symposium (NDSS). Feb. 2016.

[57]

J. Zhang, Z. Durumeric, M. Bailey, M. Liu, and M. Karir. "On the Mismanagement and Maliciousness of Networks". In: Proceedings of the 21st Network and Distributed System Security Symposium (NDSS). Feb. 2014.

[58]

R. Mahajan, D. Wetherall, and T. Anderson. "Understanding BGP misconfiguration". In: Proceedings of the 2002 ACM SIGCOMM Conference (SIGCOMM). Aug. 2002.

Digital Library

[59]

F. Le, S. Lee, T. Wong, H. S. Kim, and D. Newcomb. "Minerals: Using Data Mining to Detect Router Misconfigurations". In: Proceedings of the 2016 Workshop on Mining Network Data (MineNet). Sept. 15, 2006.

Digital Library

[60]

F. Streibelt, F. Lichtblau, R. Beverly, A. Feldmann, C. Pelsser, G. Smaragdakis, and R. Bush. "BGP Communities: Even more Worms in the Routing Can". In: Proceedings of the 2018 Internet Measurement Conference (IMC). Nov. 2018.

Digital Library

[61]

T. Xu, J. Zhang, P. Huang, J. Zheng, T. Sheng, D. Yuan, Y. Zhou, and S. Pasupathy. "Do Not Blame Users for Misconfigurations". In: Proceedings of the 24th ACM Symposium on Operating Systems Principles (SOSP). Nov. 2013.

Digital Library

[62]

E. M. Haber and J. Bailey. "Design Guidelines for System Administration Tools Developed Through Ethnographic Field Studies". In: Proceedings of the 2007 ACM Symposium on Computer Human Interaction for the Management of Information Technology (CHMIT). Mar. 2007.

Digital Library

[63]

T. Xu, L. Jin, X. Fan, Y. Zhou, S. Pasupathy, and R. Talwadker. "Hey, You Have Given Me Too Many Knobs!: Understanding and Dealing with Over-designed Configuration in System Software". In: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE). Aug. 2015.

Digital Library

[64]

T. Xu and Y. Zhou. "Systems Approaches to Tackling Configuration Errors: A Survey". In: ACM Computing Surveys 47.4 (July 2015).

Digital Library

[65]

L. Keller, P. Upadhyaya, and G. Candea. "ConfErr: A Tool for Assessing Resilience to Human Configuration Errors". In: Proceedings of the 38th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). June 2008.

[66]

F. A. D. de Oliveira. "Towards Mistake-Aware Systems". PhD thesis. Rutgers University, New Brunswick, New Jersey, Oct. 2010.

Digital Library

[67]

S. Fahl, Y. Acar, H. Perl, and M. Smith. "Why Eve and Mallory (Also) Love Webmasters: A Study on the Root Causes of SSL Misconfigurations". In: Proceedings of the 9th ACM ASIA Conference on Computer and Communications Security (ASIACCS). July 2014.

Digital Library

[68]

Y. Acar, C. Stransky, D. Wermke, M. L. Mazurek, and S. Fahl. "Security Developer Studies with GitHub Users: Exploring a Convenience Sample". In: Proceedings of the 13th Symposium On Usable Privacy and Security (SOUPS). June 2017. url: https://www.usenix.org/conference/soups2017/technical-sessions/presentation/acar.

Digital Library

[69]

S. C. Sundaramurthy, J. McHugh, X. Ou, M. Wesch, A. G. Bardas, and S. R. Ra-jagopalan. "Turning Contradictions into Innovations or: How We Learned to Stop Whining and Improve Security Operations". In: Proceedings of the 12th Symposium On Usable Privacy and Security (SOUPS). June 2016. url: https://www.usenix.org/conference/soups2016/technical-sessions/presentation/sundaramurthy.

Digital Library

[70]

J. Reason. "Safety in the operating theatre -- Part 2: Human error and organizational failure". In: Quality and Safety in Health Care 14.1 (Feb. 2005).

[71]

G. Praetorius, M. Lundh, and M. Lützhöft. "Learning From The Past For Pro-activity -- A Reanalysis Of The Accident Of The MV Herald Of Free Enterprise". In: Proceedings of the 4th Resilience Engineering Symposium. June 2011.

[72]

T. A. Limoncelli, C. J. Hogan, and S. R. Chalup. The Practice of System and Network Administration: Volume 1: DevOps and other Best Practices for Enterprise IT. 3rd ed. Addison-Wesley Professional, Nov. 14, 2016. isbn: 978-0321919168.

Digital Library

Cited By

Jenkins ALiu LWolters MVaniea K(2024)Not as easy as just update: Survey of System Administrators and Patching BehavioursProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642456(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642456
Shaikhanov ZBadran SGuerboukha HJornet JMittleman DKnightly E(2024)MetaFly: Wireless Backhaul Interception via Aerial Wavefront Manipulation2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00151(2759-2774)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00151
Sasaki TNoma TMorii YShimura TEeten MYoshioka KMatsumoto T(2024)Who Left the Door Open? Investigating the Causes of Exposed IoT Devices in an Academic Network2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00117(2291-2309)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00117
Show More Cited By

Index Terms

Investigating System Operators' Perspective on Security Misconfigurations
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy
    2. Usability in security and privacy
2. Social and professional topics
  1. Professional topics
    1. Computing profession
      1. Computing occupations
      2. Employment issues

Recommendations

Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study
Context: Kubernetes has emerged as the de-facto tool for automated container orchestration. Business and government organizations are increasingly adopting Kubernetes for automated software deployments. Kubernetes is being used to provision applications ...
There's a Hole in that Bucket!: A Large-scale Analysis of Misconfigured S3 Buckets
ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Cloud storage services are an efficient solution for a variety of use cases, allowing even non-skilled users to benefit from fast, reliable and easy-to-use storage. However, using public cloud services for storage comes with security and privacy ...
OWA operators in data modeling and reidentification

This paper is devoted to the application of aggregation operators and to the application of ordered weighting averaging (OWA) operators to data mining. In particular, we consider two application of OWA operators in this field: model building and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

2359 pages

ISBN:9781450356930

DOI:10.1145/3243734

General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

COMET - Competence Centers for Excellent Technologies

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

60
Total Citations
View Citations
1,353
Total Downloads

Downloads (Last 12 months)174
Downloads (Last 6 weeks)37

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jenkins ALiu LWolters MVaniea K(2024)Not as easy as just update: Survey of System Administrators and Patching BehavioursProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642456(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642456
Shaikhanov ZBadran SGuerboukha HJornet JMittleman DKnightly E(2024)MetaFly: Wireless Backhaul Interception via Aerial Wavefront Manipulation2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00151(2759-2774)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00151
Sasaki TNoma TMorii YShimura TEeten MYoshioka KMatsumoto T(2024)Who Left the Door Open? Investigating the Causes of Exposed IoT Devices in an Academic Network2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00117(2291-2309)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00117
Mihai DMihăilescu MCarabaş MNăstase VŢăpuş N(2024)Security Posture Improvement with High-Availability Keycloak SSO2024 23rd RoEduNet Conference: Networking in Education and Research (RoEduNet)10.1109/RoEduNet64292.2024.10722696(1-7)Online publication date: 19-Sep-2024
https://doi.org/10.1109/RoEduNet64292.2024.10722696
Stivala GDe Stefano GMengascini AGraziano MPellegrino G(2024)Uncovering the Role of Support Infrastructure in Clickbait PDF Campaigns2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00017(155-172)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00017
Lykousas NPatsakis C(2024)Decoding developer password patterns: A comparative analysis of password extraction and selection practicesComputers & Security10.1016/j.cose.2024.103974145(103974)Online publication date: Oct-2024
https://doi.org/10.1016/j.cose.2024.103974
Shen BShan TZhou YCalandrino JTroncoso C(2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620657
Shen BShan TZhou YCalandrino JTroncoso C(2023)Improving logging to reduce permission over-granting mistakesProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620261(409-426)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620261
Soroko DSavino GGray NSchöning J(2023)Social Transparency in Network Monitoring and Security SystemsProceedings of the 22nd International Conference on Mobile and Ubiquitous Multimedia10.1145/3626705.3627773(37-53)Online publication date: 3-Dec-2023
https://dl.acm.org/doi/10.1145/3626705.3627773
Gutfleisch MSchöps MHorstmann SWichmann DSasse M(2023)Security Champions Without Support: Results from a Case Study with OWASP SAMM in a Large-Scale E-Commerce EnterpriseProceedings of the 2023 European Symposium on Usable Security10.1145/3617072.3617115(260-276)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3617072.3617115
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents