2012 Royal Holloway information security thesis series

security research news
For the fifth year, SearchSecurity.co.UK is extremely proud to collaborate with the Royal Holloway, University of London, Information Security Group to feature thesis articles from graduates of its master of science program in information security.

This year's articles discuss topics from a variety of information security disciplines, including the risks of multi-tenancy cloud computing, defences against cross-site scripting (XSS), and theories for designing a secure contactless payment system. Previous years' articles, including the 2011 Royal Holloway thesis series, have focused on topics such as virtualisation security, quantum key distribution, and the security of electronic health records.

SearchSecurity.co.UK is pleased to present the following articles from the best and brightest of this year's RHUL master of science graduates.

Table of contents:

An incident response process for armoured malware

Makers of today's malware go to great lengths to disguise their code, often making it virtually impossible for even the most determined investigator to trace the true course of events. In this article, Steve Hendrikse, under the supervision of course director John Austen, outlines the elements of a sound incident response process, and then explains the various techniques malware developers use to disguise their code and prevent it from being analysed.

Designing a secure contactless payment system

Credit card transactions for which the cardholder is not physically present expose the customer to the danger of data theft or misuse. This article, written by Albert Attard under the supervision of lecturer Adrian Leung, traces the history of electronic payments and shows how they have developed over the years to reflect new buying habits, and proposes a new payment scheme that makes use of near-field communication and contactless cards.

A framework for preventing cross-site scripting

By using secure coding techniques, organisations can protect themselves against certain forms of cross-site scripting (XSS) attacks, but hackers are constantly developing new ways of tricking websites into accepting malicious payloads. This article, written by Joseph Bugeja under the supervision of lecturer Geraint Price, not only demonstrates the dangers of XSS attacks, but also proposes a pragmatic new framework to prevent XSS attacks.

Risks of multi-tenancy cloud computing

Despite its benefits to IT, multi-tenancy cloud computing renders traditional network security controls almost useless in protecting one set of users from another, meaning an attacker could rent one of these VMs and instantly be shoulder-to-shoulder with several potential targets. Here, Jacobo Ros, under the supervision of lecturer Chez Ciechanowicz, explores the ways in which an attacker might locate and attack a target VM in the cloud, and proposes some simple defensive measures.

PCI compliance, cloud computing are a costly pair

Is it safe for merchants seeking compliance with PCI DSS to move card data to a cloud service provider? Or should that data always remain on in-house systems? In this article, Patrick Durkin, under the supervision of lecturer Geraint Price, examines PCI compliance, cloud platforms and the virtualisation technologies used in the cloud. Durkin explores the security controls that must be deployed to achieve adequate protection for card data held on a cloud service.

An analysis of cloud security certifications

A cloud provider may try to prove its security through adherance with an audit standard -- SAS 70, ISO 27001, PCI DSS or a range of others -- but how valid are those standards for the world of the cloud? In this article, Robert Farrugia, under the supervision of lecturer Geraint Price, provides a detailed mapping of the current cloud security certification standards applicable to the cloud, and illustrates where each standard is lacking.