Internet of Things (IoT) Security

Internet of Things Security

There is not a distinctive standard explanation of what exactly what the Internet of Things (IoT) is. Most professionals define the term as the connection of diverse devices that can provides or request a service over the Internet to enable human-to-thing, thing-to-thing, and thing-to-things for the transmission of data. There are many ways that IoT applications are improving everyday life. Vehicles are now being equipped with small IoT devices that enable vehicles to downloading roadmaps with updated traffic information and protection against auto theft. Even are buildings are having IoT device installed with sensors that allow users to remotely control a building’s energy consumption to different systems such as lights and air conditioners based on preferences. Even many household items are sold being sold with their own embedded processing unit which enable product to have IoT abilities.

The concept of what IoT as systems is composed of has caught the attention of many people from academic and industry. The IoT reference model has been used to explain the each of the different sections within an IoT system ranges from three to seven different levels. The first reference model for IoT system consisted of three levels and described IoT as a system of Wireless Sensor Networks (WSNs).

  1. Application
  2. Cloud server
  3. WSN

The second model proposed model has five-levels and reduces the complexity during interactions between different sections of the model, resulting in simpler applications with well-defined components. The current model created by CISCO in 2014 extends the previous models into seven different levels, where the flow of data has a dominate direction depending on the type of application. The first three levels of the model are grouped into the Edge-side layer.

  • Level 1 consists of edge devices computing nodes such as: smart controllers, sensors, and RDIF readers.
  • Level 2 consists of the many communication components that enable the transmission of data or commands.
  • Level 3 is the edge ( or fog) computing level. This is where simple data processing starts to reduce the computation load in the upper levels, producing a faster response.

The next three layers are grouped into the server or Cloud-side layer.

  • Level 4 reduces the amount of data in motion to resting state by filtering and selective storing network packets to database tables.
  • Level 5 the information becomes abstract to provide the ability to render and store data allowing more efficient and simpler data processing.
  • Level 6 the information can be interpreted in application for marketing, academic, and industrial needs.

The final group contains only level 7, this is where users interact with the data using application from the IoT node data.

 

 

The motivations of potential attackers who launch attacks against IoT devices and systems might include the stealing of sensitive data or compromising IoT component. The vulnerabilities for IoT devices at the first level start with hardware Trojans. These are a major concert for IoT integrated circuits since an attacker can use the circuit to exploit a nodes functionality to get access to data or software running on integrated circuits. This might happen one of two ways:

  • Externally activated trojan by an antenna or sensor
  • Internal-activated trojan once a certain condition is met within the integrated circuits

Non-network side-channel attacks in edge node may reveal critical information under normal operation even when a node is not current using any wireless communication to send or receive data. Lastly, a Denial of service (DoS) attacks can occur against IoT devices and the three main types of attack are: battery draining, sleep deprivation, and outage attacks.

  • In a batter draining DoS attack, an attacker will send many packets to a node forcing it to run varies system checks repeatedly. Since nodes tended to be very small, carrying small batteries with limited energy capacity.
  • In a Sleep deprivation attack, an attacker will attempt to send a chain of request to a node that will appear to be legitimate. Since most IoT nodes are battery-powered node with a limited energy capacity.
  • When a possible outage attacks occurs, an edge node stops performing at normal operating. However, this may be as a result of an unintended error or a system issue.

Implementing RFID tags in IoT device at the edge node level requires all such RFID tags to provide a unique identifier that any nearby RFID reader can read. The tag that is attached to a product or an individual making creating tracking information. Certain types of tags can carry information about the product or individual it is attached to making a node easily inventoried for a third party. The electronic product code (EPC) tags contains two custom fields that create privacy concerns for users: the manufacturer and product code.

The scope of attacks at the communication level of the reference model an attacker might consider for reconnaissance is network eavesdropping or packet sniffing. This occurs when an attacker deliberately listening to private conversion over system communication links. This can prove an attacker with invaluable information when the data is unencrypted or sent in plaintext. Data contained within a network packet might contain the following:

  • Usernames & passwords
  • Shared network passwords
  • Node configuration

A side-channel attack is not easy to implement but are powerful attack against encryption algorithms. This type of attack can be launched from the both edge node and communication levels. However, when a side-channel attack is launched from the communication level are not easily defended against since this method is non-invasive and undetectable. Another possible attack at this level is the injection of fraudulent packets into communication links by inserting new packets in networking or the capturing networking packets then manipulation of the data containing with.

There are new and emerging challenges to securing IoT systems such as dramatic increase in the number of weak links and unexpected uses of data. The dramatic increase in the number are as a result of the special characteristics of devices and cost factors by device manufactures such as compact battery-powered devices with limited storage and computation resources, many market devices are not able to support secure cryptographic protocols. Lastly, the unexpected uses of data from environment or user-related data collection by Internet sensors from present computing enabled by IoT technologies has led to the unwelcome influence of Internet-connected sensors in everyday living around create privacy concerns with users.

As more developers push new IoT devices and services to the Internet this will lead to the discovery of new IoT vulnerabilities and attacks against users and systems. Most system are designed to a specific application or service and testing the security of the system might be complex and time consuming but is necessary as the number of new devices deployed to the Internet by manufactures increases each week. Some security threats might not be as widely recognized other are, but new threats to IoT devices and application should be made addresses both by security professionals and developers to minizine the scope of possible risk to users and devices.

 

References

MOSENIA, A., & JHA, N. (2017). A Comprehensive Study of Security of Internet-of-Things. IEEE Transactions on Emerging Topics in Computing, 586-602.

 

 

Software Quality Management

Quality is defined as the sum of the total characteristics of a software entity that bears on its ability to satisfy or implied needs. The purpose of software project quality management is to ensure that the project will satisfy the needs for which it was undertaken. Managing the quality of a software project and its development processes must meet the requirements and satisfy the user’s experience. Businesses often make quality management a serious discipline a major component of their IT risk reduction strategy.

A software package must conform to the written requirements of the project’s processes and deliverables. When the project is “fit for use” is when the product can be used as it was intended, ensuring the product will satisfy the needs for which it was developed for. In the end the customer will decide of the quality of the software is acceptable or not. Design of experiments is a technique that helps to identify which variables have the most influence on the overall outcome of a process for understanding which variables affect the final outcome is an important part of quality planning.

There are many scope aspects of IT projects that affect the quality of a project are. The biggest aspect is the system’s functionality, the degree to which a system performs its intended function. A system must contain the features that have characteristics which are appealing to the intended user. After the user interacts with a system it must generates outputs which are shown on the screens and reports, it is important to define clearly what the screens and reports look like for a system. A system’s performance will address how the software package will perform to the customer’s intended use. To design a system with high-quality performance, project stakeholder must address many issues. Reliability is the ability of a product or service to perform as expected under normal conditions. Lastly, maintainability addresses the ease of performing maintenance on a product. If a software system breaks down after being implementing within a system, project team must review the project to fix the problem to give the user a future satisfying experience.

Planning quality management is the ability to anticipate situations and prepare actions that bring about the desired outcome. Having a plan for the software development life span help to stop a lot of the issues which comes from developing a software system. The first step is to define the quality to match the requirements of both the business and achieving a satisfying user experience. The second step is to broadcast a simple quality metrics, this helps to reduce defeats, as well as keeping the quality on the minds of the whole development team and expose when efforts fall short. Another possible step it to keep fine tuning the project’s goals to make sure the requirements are being meet and each user test of the system has a satisfying experience. Getting the requirements right the first design phase means the software would need to be reworked less and less retesting and troubleshooting code to test for bugs. Designing a simple application helps to lessen the risk for bugs and is easier to test and rework if needed.

What is cybersecurity?

Cybersecurity, or computer security, is the protection of computer systems from the theft or damage to their hardware, software, of electric data, as well as form the disruption or misdirection of the services they provide. The field is becoming more important due to increased reliance to computer systems, the Internet, wireless networks, and the growth of “smart devices.”

 

Vulnerabilities and attacks

A vulnerability is a weakness is design, implementation, operation or internal control. Most of the vulnerabilities that have been discovered are documented in the common vulnerabilities and exposures (CVE) database. An exploitable vulnerability is one for which at least on working attack or “exploit” exists. Vulnerabilities are often hunted or exploited with the aid or automated tools or manually using customized scripts. To secure a computer system, it is important to understand the attacks that can be made against it. Some of the Benefits of cybersecurity are:

  • Business protection malware, ransomware, phishing, and social engineering
  • Protection for data and networks
  • Prevention of unauthorized users
  • Improves recovery time after a breach
  • Protection for end users
  • Improved confidence in the product for both developers and customers

 

Types of cybersecurity Threats

The process of keeping up with new technologies, security treads and threat intelligence is a challenging and ongoing task.

#1 Ransomware: A type of malware that involves an attacker locking the victim’s computer system files, typically through encryption, and demanding a payment to decrypt and unlock them.  Paying the ransom does not guarantee that the file wills be recovered, or the system stored.

 

#2 – Malware: Any file or program used to harm a computer user or gain unauthorized access.

  • Worms
  • Virus
  • Trojan horses
  • Spyware

#3 – Social Engineering: An attack that relies on human interaction to trick users into breaking security procedures in order to gain information that is typically protected

#4 – Phishing: A form of fraud where fraudulent emails are sent that resemble emails from reputable sources; however, the intention of these emails is to steal sensitive data. This is the most common type of cyber-attack.

  • Credit Card
  • Login Information

 

Tenets of Information System Security

There are three protections that must be extended over information: confidentiality, integrity, and availability (CIA).

cia triad
Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization.

#1- Confidentially (Data Privacy)

It is important that only approved individuals can access important information, thus protecting the information from everyone except those with rights to access it. Implementing security controls to help reduce the risk of data leaks by Defining a set of rules that limits access to only authorized users can view information.

Putting an Information Technology security policy framework in place that outlines an identifies where security controls should be used. Protecting private data is the process of ensuring data confidentiality. Organizations must use proper security to this concern. Adopting a data classification standard that defines how to treat data throughout an IT infrastructure.

  • Private data of individuals
  • Intellectual property of businesses
  • Keep data private

 

#2 – Integrity (Validity and accuracy of data)

Integrity ensures that the information is correct and no unauthorized person or malicious software has altered the data. Data lacking integrity (inaccurate and not valid) are of no use to user and organizations.

  • Only authorized users can change information
  • Assurance that the information is trustworthy and accurate

 

#3- Availability (Data is accessible)

Information is accessible by authorized users whenever they request the information and has value if the authorized parties who are assured of its integrity can access the information. Also, information cannot be locked so tight that no one can access it.

The PCI Data Security Standard

The PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. The PCI SSC sets the PCI security standards, but each payment card brand has its own program for compliance, validation levels and enforcement

 

Build and Maintain a Secure Network

#1 – Install and maintain firewall and router configuration standards that formalize testing whenever configurations change, and restrict all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment. Identify all connections to cardholder data and review of configuration rule sets at least every six months.

#2 – Do not use vendor-supplied defaults for system passwords and other security parameters

 

Protect Cardholder Data

#3 – Protect stored cardholder data

#4 – Use strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard sensitive cardholder data during transmission over open, public networks

 

Maintain a Vulnerability Management Program

#5 – Install and regularly update anti-virus software or programs. Then check that all anti-virus #6 – mechanisms are current, actively running, and generating audit logs.

 

Implement Strong Access Control Measures

#7 – Assign all users a unique user name before allowing them to access system components or cardholder data.

#8 – Limit access to system components and cardholder data to only those individuals whose job requires such access and restrict physical access to cardholder data.

 

Regularly Monitor and Test Networks

#9 – Track and monitor all access to network resources and cardholder data

#10 – Regularly test security systems and processes

 

Maintain an Information Security Policy

#11 – Maintain a policy that addresses information security for all personnel

 

References:

https://www.pcisecuritystandards.org/document_library

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

 

The General Phases of a Computer Attack

#1 Reconnaissance (information gathering)

Collect information using different tools to gain all information about the target organization, application, or network. This is the longest phase, lasting weeks or months.

  • Internet searches
  • Social Engineering
  • Dumpster diving

 

#2 Scanning (Finding Exploits)

Once the attack has found enough information to understand how the system works, the next phase will be to find the exploits in the target using the information gathered in the reconnaissance phase.

  • Open ports
  • Open Services
  • Default Passwords
  • Vulnerable Applications

 

#3 Gaining Access (Enter the target)

With the exploits found in the scanning phase, the attacker will try to enter the target system using different methods. The attack must gain access to one or more network devices.

  • Session hijacking

 

#4 maintaining Access (accomplish goal)

Once access has been gain to the target, an attacker may want to maintain access to a system or network

  • Backdoors
  • Root-kits
  • Trojans

 

#5 Covering Tracks (remove evidence)

In order to cover their tracks to avoid detection by removing any evidence from the system.

  • Change log files

 

What does a Computer Systems Analyst do?

A Computer Systems Analyst is an IT professional who specializes in the analysis, design, and implementation of an information system for a company or organization.  What a Computer Systems Analyst does is assess the suitability of informational systems in terms of their intended outcome and liaise with end users, venders, system administers, programmers. Systems Analysts are often the company’s best line of defense against an internal or external IT disaster.  The role of this type of analyst within an IT project is to serve as the change agent who can identify the organizational needs, design a system to implement the requirements of the project, and train others to use the system once developed. Computer Systems Analyst must be familiar with a wide range of:

  • programming languages
  • operating systems
  • hardware platforms

However, they do not participate in actual hardware or software development.

Other responsibilities include:

  • developing cost analysis
  • design considerations
  • staff impact amelioration
  • implementations timelines

One the most important tools a Computer Systems Analyst have is the system development life cycle.  Once a development project gains necessary approvals from all participants, the System Analyst’s stage can begin.  Information can be gathered about the existing system in order to determine the requirements for an enhanced system or a brand new system.  The end product of this stage, known as a deliverable, is a tangible or intangible object that can be delivered to a customer.

Salary range in 2013

  • $63,860 to $ 102,480

Education

  • Bachelor’s Degree
  • Computer Science
  • Information Science

Skills

  • Technical knowledge
  • Oral & written communication
  • Understanding of the business or organization daily operations
  • Critical thinking skills

Of the skills I have listed, there are two skills in which I would like to go into more detail are critical thinking and communication skills, something that is not addressed in most IT programs. First of all, communication skills are vital to any type of position, in particular a system analysis must interact with people at all levels within an organization from operational employees to senior executives, and outside the company which may include hardware & software venders, customers, and government officials. Lastly, important critical thinking skills ability to

  • Compare
  • Classify
  • Evaluate
  • recognize patterns
  • analyze cause-and-effect
  • apply logic

 

Works Cited

Bratcher, Emily H. Computer Systems Analyst: Salary. 2015. Web Page. 18 February 2015.

Computer Systems Analysts. 8 January 2014. Web Page. 18 February 2014.

toptenreviews. Systems Analyst. 2015. Web Page. 18 Febuary 2015.

Wikipedia, the free encyclopedia. Systems analyst. 23 February 2015. Web Page. 18 February 2015.

What are Firewalls, why do they matter?

Having Wi-Fi access where ever you go may not always be a good thing. Having a constant mobile network connection increase the changes of online threads. There are ways to prevent this but sometimes it is not enough just too simple true off your device, more personal device have GPS pre-installed into the firm wear a hacker could track your movements. One way to defended against this is by implementing a network firewall to shield your device from malicious threats.

A firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. This type of network security is a barrier between a trusted and secure internet network and another network. There are very many firewalls available online, thing to consider when choosing a firewall for network security. In general, your decision should be based on performance, application features, and most of all cost. Performance requirements might include how many device and users do you have online at a single time? Choosing a firewall based on features can be the most difficult, everyday updates for firewall provide even more features that just a simple network security layer. The features a user needs to focus on is what are you trying to secure within your network, online gaming, web browsing, or home office? Lastly the cost of the firewall to implement within the network. There are two types of costs: fixed and recurring costs. Having a fixed cost is paying upfront for the system, this may include hardware and installation. A recurring cost with having a firewall is having technical support and subscriptions.

 

Orignal Article – https://www.infosecurity-magazine.com/news/firewall-still-critical-tool-in/

Open Source Wireless Protocol Analyzer

A packet analyzer is a computer program that can intercept and log data traffic passing through a network. When data streams flow across a network a packet analyzer will capture each packet and decodes the packet’s raw data. Of the many open source network protocol analyzers the three most popular applications being used are Wireshark, Capsa, and Packetyzer.

Wireshark

Wireshark is a very popular free and open source network analyzer, and is cross platform. What makes this software application so popular to users is how easy it is for anyone to all view network traffic visible on any given network interface. Similar to tcpdump but with a graphical front end instead of command line interface, plus sorting and other advanced filtering options allowing the user to examine data more in-depth from a live network or saved packets in memory. What Wireshark cannot do is be used as a network detection system or for manipulating packets only to examining them.

Wireshark uses the application programming interface (API) pcap to capture packets, which comes from the libpcap code library for the C programming language on UNIX base system, winpcap for windows based machines. Libpcap was first developed at Lawrence Berkeley Laboratory to be used with tcpdump for low level packet capturing.

Capsa
Another popular analyzer to use is Capsa which comes in a three different versions ranging in price from free to $995. This application does everything Wireshark does including real time packet capturing, constant network monitoring. But where this product does surpasses Wireshark is its advanced graphical interface that provides a clearer view of any network making the task of conducting packet level analysis and other network problems easier. What makes a tool for network administrators to use is that is costs $995 for the Enterprise edition and $695 for the Professional, which can be a hard for a starting IT budget but the free is a good way to first test before purchasing it. The Free version has a lot of the advanced features taken out and can only monitor ten IP addresses at once, and how a downtime of four hours before being able to be used again.
Packetyzer

The last analyzer research was Packetyzer which is a very basic packet sniffer application based on the Ethereal project and provides a GUI for windows machines. This application was the same as Wireshark but did not have as nice of a graphical interface for packet capturing.

Of the three applications I researched I would recommend to any IT professional to use Wireshark as a starting to for their networking trouble shooting problems, because it is easy for anyone to use and can be use on any system for free. My second choice would be Capsa because in the event where is an network administer does encounter a more advanced network problem to look into many investing in Capsa if the problem require a more in-depth exam to find a solution.

Mobile Device security in the workplace

Access to data is no longer limited to the fixed computer workstation.  Laptops, Smartphones, and tablets give us access to files, pictures, and music from anywhere in the world.  This is especially attractive in the work place environment where mobility allows employees to check emails, access applications on the cloud, or review office documents.  Unfortunately, the idea of “bring your own device” (or BYOD) to work is creating privacy and security issues prompting questions of how much access should anyone have to a company’s network or cloud.

News of internal data leaks of office documents are all over the Internet raising concerns about how to prevent confidential data from falling into hackers or competitor’s hands.  There have been attempts to address this growing mobile device risk in the world of IT but separating the company’s and employee’s device has proven to be costly and very difficult to implement. Some companies buy mobile devices for employees yet they continue to lose the ability to cut costs, even when buying in bulk.  The company ends up paying for calls and data plans as employees claim these costs as work expenses.  In addition, implementing new network security measures to cope with the increase of new devices on the network is very costly.  The company’s IT department must spend more money and other resources on mobile data protection, network access control, and device management.

One solution is to implement a Virtual Mobile Infrastructure (VMI) where a user can access virtual mobile operating systems that are running on the company’s server without putting the company data at risk.  Employees and users have access to two operating systems on their mobile device; one dedicated to the company server and the other for personal Internet access.  An example of how an employee or IT administrator can use this concept is to run one or more virtual machines with Android application in data centers and deliver the application data to any location

Free Online Operating System Tutorials

Few free online tutorials about what operating systems are and what they can do.

Tutorials Point
https://www.tutorialspoint.com/operating_system/

This site had 15 sections about what an operating system is and all the different parts, including a section on Linux. The target audience of this tutorial was computer science graduates to help them understand the basic to advanced concepts related to Operating System. One thing I liked best about this website was a section with OS Exams Questions with Answers to help with the learning process.

W3schools
https://www.w3schools.in/operating-system-tutorial/intro/

W3schools is an origination of teams of professional experts in various fields of designing and software application development. This Operating System tutorial has 16 sections all the main concepts of what an OS is, and one final section that briefly described Linux and what a kernel was. This tutorial was more on the short side and just scratch the surface of the basic concepts of what an operating system is and what it can do.

StudyTonight
https://www.studytonight.com/operating-system/

Studytonight provides free and easy education on the Internet, with the goal of working towards bringing the entire study routine of students on the Internet. This course had 3 modules: introduction, process & multithreading, and memory management. It also had topical test and Q & A form to help student with the course and learning Linux.