Category Archives: News

The future of Cybersecurity Technology and Policy (IoT)

 

The future of Cybersecurity Technology and Policy

 

Abstract

This paper addresses the emerging cybersecurity technologies primarily related to (IoT) internet of things.  How these new technologies can show hope for change and innovation in the field.  Also, looking at government policy that has been lagging in its ability to step in and catch up with the dynamic change in technology and cybersecurity policy.  Understanding the technology and satisfying the initial need is completely two different things.  Also, we look at the overall impact that the government policy that is being used in cases against a hotel company and mobile device vendor is taking a toll on the innovation of IoT in this field.

Countering cyber-attacks at all levels

One of the fastest growing areas in technology is the introduction of the concept (IoT) Internet of things.  IoT is a very broad area.  It ultimately encompasses everything connected.  In fact, (Forbes & Morgan, 2004) says, “that by 2020 there will be over 26 billion connected devices… That’s a lot of connections (some even estimate this number to be much higher, over 100 billion)” As many attempts to try and define IoT there hasn’t been much of a great definition until the past year.  (Gartner Research, n.d.) defined it by saying, “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”  Forbes went to greater lengths to simplify IoT as, “Simply put, this is the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other).”  This includes but not limited to smartphones, smart electrical grids, toasters, and Fitbit’s and other wearables to show the range that we’re discussing.  Much like the definition which can be slightly vague, cybersecurity policy and mitigation is also heavily undefined in this area.  The upside to IoT is that it reduces human involvement along with improving accuracy and efficiency, resulting in economic benefit, (CHALLA et al., 2017, p. xx). According to the (IEEE) the institute of electrical and electronic engineers there are emerging technology that show positive signs of hope in this fast-growing new area, which are application authentication and key management practices, computed trust nodes, and lightweight security protocols for cloud-based Internet-of-Things (IoT) applications for battery-limited mobile devices.

 

Benefits to Cybersecurity

Each of these emerging technologies offer a different approach in establishing a level of trust in cybersecurity.  One emphasizes a solution built around secure authenticated key establishment scheme, another improves on a trust system or creation of trusted nodes within a network, and the last dives deeper into creating a lightweight protocol concentrating on cloud based cybersecurity.

Signature Based Authenticated Key Establishment Scheme

The basic premise for this new technology is that IoT as a concept has a high potential for invalid security and privacy.  Largely due to the inability to establish security at the design level for each connected object.  This is where most of the security challenges come into play.  Key contributing features that makes this a very promising emerging methodology or practice are:

  • An authentication model for IoT to follow. This model defines a term of mutual authentication.  Where a user authenticates through a gateway node and the IoT device authenticates through the gateway node as well.  Through this mutual authentication the users are then authenticated on the IoT device by proxy.
  • A secure signature based authentication and key agreement scheme. A legal user can access the information from a sensing device in the IoT applications if both mutually authenticate each other, (CHALLA et al., 2017, p. xx). After their mutual authentication, a secret session key is established between them for future communication.

Ultimate benefits of the wide use of this technical methodology have

concluded very efficient in communication and computational costs.  Which helps to solve the problem of identity on IoT devices.  The proposed scheme also protects itself from replay attacks by using random number generators as well as current timestamps.  The assumptions are that all users in the IoT environment are synchronized with their clocks.  There are eight phases to implementation:

  • System setup
  • Sensing device registration
  • User registration
  • Login
  • Authentication and key agreement
  • Password and biometric update
  • Smart card revocation
  • Dynamic sensing device addition

This new best practice can be applied to many different industries in regard to IoT much like the cybersecurity frameworks established by NIST for its categorizations of authentication in web based applications.  This could potentially be incorporated to help satisfy some of the “reasonable security measures” that FTC a government agency which has been known to uphold.  More on this later in the paper.  Establishing standard frameworks for cybersecurity in IoT may allow some businesses that are on the fence to moving to this technology to start implementing and eventually start innovating in the area.

 

Optimal Trust System Placement in SCADA Networks

Privacy and trust are also a large concern to the US smart grid system.  Mainly because the smart grid network itself highly depends on information and communication technology (ICT).  Supervisory control and data acquisitions (SCADA) are integral part of the modern day smart grid system.  Its primary function is control messages and measurements.  At the current moment, the system is in its fourth generation of architecture, which introduced two key new advanced technologies, (Hasan & Mouftah, 2016, p. xx).  The first would be cloud computing and the second IoT making the smart grid more susceptible to complete outage.  Slight modifications of these systems may cause a complete outage across the entire grid.  Smart grid operators use trust systems to monitor network traffic to and from different nodes.  These nodes are called trust nodes.  The nodes themselves include both a firewall and intrusion detection system.  Within making the decision of which nodes are the best to deploy these trust systems in a network there are two factors which need to be considered capital expenditures and operational expenditures, (Hasan & Mouftah, 2016, p. xx).  To deploy the trust system properly considering operational expenditures and capital expenditures.  Nodes can house only a fixed number of trust systems deployed to them due to budgetary constraints.  The SCADA networks need to be segmented to minimize the amount of cyber-attack traffic and for the trust nodes to be more effective.   There are some potential risks that these SCADA systems need to watch out for.  There are three main types of attacks that are at risk in the current SCADA network.

  • Targets power plants. Disrupts operation or generation.
  • Targets power distribution and control systems. Disrupts state information that may lead to instability.
  • Targets consumer premises. It could potentially cause an increment in the load that could damage the grid.

The focus of the new emerging technology is on the optimal placement of the trust nodes on the SCADA network.  The ultimate solution was producing an algorithm where minimum spanning trees (MST) would represent the smaller segments and then would determine the least expensive method of determining these segments and deploying the trust systems to these trust nodes.  Thereby segmenting the electrical grid enough to protect in from cyberattacks and in the most cost-efficient way possible.  The emerging technology directly effects not only the US smart grid and its efficiency, but also on a local level being able to apply this algorithm to other industries where cost is an issue possibly in the automotive and more factory related industries with clearly large systems that need to be segmented for better protection.  With this new technology and the high priority to moving towards smaller micro grids, this technology is essential and the energy industry globally should be able to benefit from this.

CP-ABE Scheme for Mobile Devices

The last emerging technology is the development of the CP-ABE Scheme for battery limited mobile devices.  In the IoT world many new applications have an emphasis on one device in general that’s the smartphone.  The ability to create secure applications is a must.  This emerging tech focuses on the encryption mechanisms of (CP-ABE) Ciphertext Policy Attribute Based Encryption.  The problem is that most CP-ABE schemes are based on bilinear maps and require long decryption keys, ciphertexts and incur significant computational costs, (Odelu, Das, Khurram Khan, Choo, & Jo, 2017, p. xx).  These limitations prevent the CP-ABE scheme from being deployed on mobile battery limited devices.  The new emerging technology is the ability to create RSA based CP-ABE that has a constant length of secret key.  The ultimate key decryption and encryption times are O (1) of time of complexity which is ground breaking as other solutions have failed to be this efficient up until this point.

CPE-ABE has been around for years but the efficiency that this new method has brought has now made this more applicable to modern IoT technologies primarily the smartphone but not limited to this.  The implementation of the RSA based CPE-ABE is broken down into four main algorithms:

  • Setup – This algorithm takes a security parameter and the universe of attributes as inputs and then outputs a master public key and its corresponding master secret key
  • Encrypt – This algorithm takes an access policy the master public key and plaintext as inputs. The encryption algorithm outputs a ciphertext
  • KeyGen – The inputs are an attribute set, the master public key and the master secret key. The key generation then outputs a user secret key corresponding to the attributes.
  • Decrypt – It takes a ciphertext generated with an access policy, the master public key and the secret key and outputs plaintext using the decryption algorithm, (Odelu, Das, Khurram Khan, Choo, & Jo, 2017, p. xx).

Real world usage for this kind of technology isn’t limited to mobile phones.  Since this is an attribute based encryption system this can be used almost anywhere where attribute based encryption is used.  Which includes token based authentication in JSON Web Token and the creation of JWE or an encrypted JSON Web Token which is used in OAuth system all over the internet in almost every authenticated application.  JSON Web Tokens are used currently right now as an attribute based system.  Instead of attributes the RFC calls them claims where claims are encrypted and sent with a token to the user trying to authenticate.  The claims are then evaluated and the user is given a long-lived token for subsequent requests until the token is expired.  This creates a stateless session for any web application user experience.  OAuth is a security framework that is widely used to authenticate a user across multiple services.  With the emergence of this new technology businesses will be able to use this new RSA based system much like the current systems that are using claims in JWT’s.  The entire online web community will take advantage of this new emerging technology in the coming years.

Federal Government Nurturing the Technologies

Cooperative efforts between the government community and the technology community is needed when discussing the new technology concepts such as IoT.    There is still a lot of work to be done.  A good place to start would be the Federal Trade and Commission’s (FTC).  In an Act, there is a requirement “reasonable security measures” which the agency uses to regulate unfairness.  (IEEE & Loza de Siles, n.d.) says, “Under the Act, this agency regulates conduct involving the Internet and otherwise as that conduct relates to consumers and competition.”    In this act, there are three main components that categorizes unfair or deceptive acts:

  • The act or practice results in substantial consumer injury
  • The consumer cannot reasonably avoid that injury
  • The harm caused by the act or practice is outweighed by countervailing benefits to consumers or to competition.

An actor’s unfair act or practice may not be the cause of consumer injury for the actor to be liable under the Act, (IEEE & Loza de Siles, n.d.).     The FTC prosecuted several Whyndam companies for unfair acts or practices as to the Cybersecurity risks to hotel guests’ personal information where hackers ended up exploiting those risks on three separate occasions, injuring 619,000 consumers.  (IEEE & Loza de Siles, n.d.) continues, “Under the FTC’s unfairness authority, IoT and other companies must use “reasonable security measures” to protect consumers’ data.”  This is very promising that consumers are being protected in this manner as this is long overdue.  However, the vagueness again much like the definition of IoT is still the issue.  There needs to be more policy writing that will foster more concrete laws that move with the dynamic changing landscape.  This does show the overall support of the government agency in the protection of this newly emerging field.

 

HTC is another example of how the FTC was willing to go after offenders in this grey area of this Act.  The FTC alleged that HTC failed to implement reasonable security measures where HTC, among other illegal conduct, introduced permission re-delegation vulnerabilities in its customized, pre-installed mobile applications on Android-based phones and thereby undermined the operating system’s more protective security model, (IEEE & Loza de Siles, n.d.).  This shows how even though the policy is archaic there is still a government entity looking to look out for consumers. Accordingly, the important take-away regarding the FTC’s Tried and True Guidance is that what constitutes “industry-tested and accepted methods” of data security is dynamic and a constantly moving target, (IEEE & Loza de Siles, n.d.).   But when does this “reasonable security measures” end.  One could clearly see how this may deter innovators from pursuing such areas of interest.  In the end, there needs to be more capable policy writers to keep up with the times. It looks as though there are severe re-writes that need to happen in the next five to ten years.  Only then will innovators and security experts truly see eye to eye.

Conclusion

One of the fastest growing areas in technology is the introduction of the concept (IoT) Internet of things.  However, a very exciting time.  There is a some very important new emerging technologies to take note of.  That will allow for more innovation in the IoT field.  As the field continues to grow there will allows be more potential risks.  The emerging security solutions and methodologies are grossly behind.  The policy is even more behind the technology to help combat some of the threats that IoT faces.  For this field to get the growth it needs cyber policy needs to be written to allow for innovators in the field to have comfort in developing in this space.  Until this is done there will not be enough significant innovation to elevate all the security threats due to the inability to in fuse a startup in this space without thinking an investment is going to go directly to liability issues in a few years or even worse in its first year.  The ability to see the government take initiative to protect is however very refreshing.

 

References

CHALLA, S., WAZID, M., KUMAR DAS, A., KUMAR, N., REDDY, A., YOON, E., & YOO, K. (2017). Secure signature-based authenticated key establishment scheme for future iot applications. IEEE Access5, 3028-3043. Retrieved from http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7867773

Forbes, & Morgan, J. (2004, May 13). A simple explanation of ‘the internet of things’. Retrieved from https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/#697fb71f1d09

Gartner Research. (n.d.). Internet of things defined – tech definitions by gartner. Retrieved from http://www.gartner.com/it-glossary/internet-of-things/

Hasan, M. M., & Mouftah, H. T. (2016). Optimal trust system placement in smart grid scada networks. IEEE Access4, 2907-2919. doi:10.1109/access.2016.2564418

IEEE, & Loza de Siles, E. (n.d.). Cybersecurity Law and Emerging Technologies Part 1 – IEEE Future Directions. Retrieved from http://sites.ieee.org/futuredirections/tech-policy-ethics/may-2017/cybersecurity-law-and-emerging-technologies-part-1/

Odelu, V., Das, A. K., Khurram Khan, M., Choo, K. R., & Jo, M. (2017). Expressive cp-abe scheme for mobile devices in iot satisfying constant-size keys and ciphertexts. IEEE Access5, 3273-3283. doi:10.1109/access.2017.2669940

RFC 7516 – JSON Web Encryption (JWE). (n.d.). Retrieved from https://tools.ietf.org/html/rfc7516

RFC 7519 – JSON Web Token (JWT). (n.d.). Retrieved from https://tools.ietf.org/html/rfc7519

 

WannaCry Ransomware : What is it and How to Protect against it

 

The WannaCry ransomware burst into the spotlight over the weekend as reports of infections streamed in from around the globe. This has affected systems in more than 150 countries with more than 230,000 computers infected.

What is Ransomware?

Ransomware is a type of malicious software(computer virus) that encrypts and blocks access to data until a ransom is paid. It usually spreads via spam emails and malicious download links and displays a message requesting payment to decrypt it.

 

The WannaCry ransomware A.K.A. Wanna Decryptor, uses a leaked NSA exploit Eternal Blue that targets Windows SMB service which can be used to hijack computers running unpatched, vulnerable Microsoft Windows operating system.

The ransomware that has affected systems in more than 150 countries recently. It leverages Social Engineering/Spear Phishing as their attack vector by sending some malicious links or a PDF file, which when clicked, installs the ransomware. Once installed, it scans the entire network for other vulnerable devices and spreads.

Follow these steps to prevent infection:

  • Update your system.
  • Upgrade to windows 10 if you are using older versions. Keep it updated.
  • If you are using older versions of windows , apply these patches immediately.
  • Enable Firewall, block access to SMB ports – TCP – 137,139 and 445 and UDP – 137 and 138.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

  • SMB is enabled by default on Windows. Disable SMB service –

https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

  • Have a pop-up blocker running on your web browser.
  • Update your antivirus.
  • Backup your data regularly.
  • Do not open any attachments from any Unknown sources.

 

WHAT IF YOU ARE INFECTED?

Never Pay ransom.

Its upto you whether to pay the ransom or not. There is no guarantee that you will get your files back.

Are DDoS attacks about to die? – 3 top projects that might make you think twice.

 

Denial of service or DoS attacks and distributed denial of service attacks or DDoS are on the rise.  Many of the worlds companies have been forced to deal with DoS attacks or DDoS attacks as a potential threat.  (Zetter, 2016) defines DoS attacks as, “an attack that overwhelms a system with data—most commonly a flood of simultaneous requests sent to a website to view its pages, causing the web server to crash or simply become inoperable as it struggles to respond to more requests than it can handle.”  Since their initial uses an emergence of DDoS attacks have come about.  This is distributed denial of service attacks, largely attacks from multiple computers to one or more. These computers are usually a part of a larger botnet which their location is spread about all over the world.  DDoS attacks are hard to deal with since merely blocking an IP address from malicious traffic is more difficult to identify.  The end result of both DDoS and DoS attacks are legitimate users not being able to use computer systems for their intended purpose.  There are new methods and techniques to deal with these DDoS attacks that are on the rise.

Anomaly Based detection system with Multivariate Correlation Analysis

One of the more promising solutions to DDoS attacks is the Multivariate Correlation Analysis system, or MCA.  This research paper identifies multiple mitigation techniques in the detection process.  The overall solution is built for speed of detection which is a very powerful element in thwarting DDoS attacks.  This system differentiates between old misuse based detection systems and newer anomaly based systems such as itself.  The misuse based detection systems identifies malicious network traffic based on previously known attacks. The problem with this is the ability to identify new DDoS attacks or variations of old attacks.  Also there is trouble in keeping a valid signature database updated which becomes very labor intensive.  Because of the cybersecurity industry was on the lookout for better detection system.  Anomaly based solutions were then sought out heavily since catching the DDoS attacks themselves were hard to identify, it is a lot easier to identify normal traffic on a network and then compare it to the current traffic.

Anomaly based detection system

Anomaly based detection systems have the ability to identify a base line of traffic for a company within its normal usage and then sift out the remaining as malicious traffic.  Unfortunately, anomaly based systems are prone to false positives and false negatives due to lack of training and simplistic models being used.  This new system, multivariate correlation analysis system has proved promising to solve this issue. This solutions framework can be broken up into three distinct levels like the following:

  1. Creates a normalization model record from internet traffic to the internal network. This level takes incoming traffic data to pass to the level 2.
  2. Multi correlation analysis is applied with Triangle area map generation. In this step the normalization model records in level 1 are compared to find correlations.
  3. Decision Making is the final level that determines legitimate record set from DDoS attack or illegitimate records.
    1. Training Phase builds normal profile of traffic.
    2. Test Phase builds profiles of individual observed traffic records.

Triangle area map mitigation technique

The triangle area map technique was used to help speed up the MCA process.  The triangle area map approach allows for quickness in the comparison of two triangle area map records.  If one was to picture the triangle map record as a picture they would be able to tell any differences in the two triangle sides when they weren’t identical because this would be reflected in the bottom part of the triangle.  Allowing the system to focus on inspecting the bottom part of the triangle which will decrease the amount of data needed to analyze and query.  The resulting speed is roughly two thirds faster than running the normal MCA process.

 

Mahalanobis Distance mitigation technique

The Mahalanobis distance mitigation technique or MD allows the solution to be more accurate when identifying variations.  This model can be well explained in conceptual anology with baking spices in a recipe.  If you have a x and y axis and plot all the different volume levels in the recipe of all the different spices this wouldn’t change the flavor profile of the recipe.  However, if you add more of one ingredient say salt or butter you would definitely taste the difference in recipe.   Mahalanobis distance mitigation technique works in the same way as it allows the variation of critical indicators to not focus predominantly on volume but a more on distinct flavor based off of powerfulness of different ingredients.

While the triangle area map was used to identify similarities in record sets faster, MD is used to identify the dissimilarity between traffic records.  (Tan, Jamdagni, He, Nanda, & Liu, 2011, p. xx), says “This is because MD has been successfully and widely used in cluster analysis, classification and multivariate outlier detection techniques.”

 

Tracemax DDoS System

The Tracemax system is another project that shows potential.  The Tracemax system takes a slightly different approach in detecting DDoS attacks.  Tracemax is software installed on downstream devices throughout the internet say for instance an ISP.  The Tracemax system can be installed at the customer level, however at the ISP level this would allow for the ISP to blacklist attackers or bots, identifying botnets within the ISPs network or verify malicious ISPs, (Hillmann, Tietze, & Rodosek, 2015, p. xx).   The reason for selection of this research is because it clearly identifies a very important problem in cyber security at the moment which is attribution.  Identifying the potential initiator of attacks allows law enforcement, government, and state officials to take further action.

The devices running the Tracemax software are able to then label each packet and trace its exact path based off a given generated abstract ID. This ID is stored in the options header of a packet. This allows Tracemax to deal with a larger number of hops more than any other existing tracing tool known to the general public to date.  See table 1.  The benefit of using the Tracemax software are as follows:

  1. Single packet traceback. Which allows users to detect sophisticated attackers.
  2. Detecting and differentiating multiple attackers.
  3. Fast path reconstruction, even during an attack. With short attack detection time and fast preventive actions.
  4. Minimal additional network load and performance.
  5. Ability to trace hops or locations of more than 50 plus hops.

 

Tracemax preventive system

            As a preventive measure Tracemax is installed on all devices which the packets would travel through.  Tracemax allows for the system to detect DDoS for small networks and alert ISP as to malicious packets entering in networks so that an ISP can take necessary steps to deny malicious packets and malicious outside nodes.  This approach could prevent new DDoS attacks from spawning on different internet nodes.  This would also allow a ISP to identify DDoS attacks coming from their own networks.

 

Tracemax mitigation technique

Tracemax creates its own labeling system which is its mitigation technique.  DDoS attacks for the most part done from spoofed IP addresses and the packets vary from different paths to the target. Dynamic paths and spoofed IP packets aren’t referenced.  Instead Tracemax looks at the options field for the abstract ID’s which were created through packets travel from device to device.  It’s very simple to reconstruct a malicious packets full path at the end by using this method.

 

Tracemax alternate mitigation technique 

A slightly different mitigation technique is that if the traced IP packet were to fall into the wrong hands and reverse engineered the IP packet doesn’t give up the ISP’s network topology because of the abstract ID system it uses. This is a big concern as many packets can be reversed engineered at some point.  However, because Tracemax not only label each packet with an abstract ID it can also change its entire abstraction method so that users without the software it would render the packet useless in detecting where the trace is coming from.

 

Hybrid Intrusion Detection System for DDoS Attacks

The solution to DDoS attacks is proving to be extremely difficult.  As the previous projects focused predominantly on DDoS and DoS attacks on general networks.  It isn’t practical to not mention wireless networks.  This next research project focuses a best of both worlds approach.  As the name suggest the Hybrid Intrusion Detection System or (H-IDS) uses the misuse database or signature based approach and combines it with the anomaly based approach.  The joining controlling centralized node is referred to as the hybrid detection engine (HDE). See figure 1. The benefits of using this system is with the low frequency of false positives in signature based IDS systems and combining the flexibility of the pattern recognition this increases speed and improves on efficiency.  The HDE is defined as follows:

  1. Collecting the outputs of anomaly-based detector and signature based detector
  2. Calculating the attack probability
  3. Controlling the security levels of the detectors
  4. Updating anomaly detector’s normal network model
  5. Updating the signature based detectors rule set

 

Detection method with SNORT

The HDE uses SNORT for an appropriate signature based detection system.  SNORT is widely used among the industry.  SNORT can be run in three modes sniffer, packet logger, network IDS.  For the implementation of H-IDS the periodically updated rules version can be used.  The HDE uses SNORT however the HDE controls the sensitivity levels of SNORT.

 

Anomaly Mitigation Expectation Maximization Algorithm

The key mitigation strategy which differentiates the HDE system from other mixed model systems is that it uses an algorithm for the maximum likelihood estimate problems.  These are huge problems in mixed model systems.  The algorithm that is used is the Expectation Maximization Algorithm or EM.  This is a mitigation strategy which focuses on using EM over other approaches such as gradient-ascent or Newton.  This EM algorithm enables the HDE to take parameter estimations in a probabilistic model with incomplete data.  It is largely efficient when working with incomplete data.  When taking in models from both signature based and anomaly based detection systems.  This is of high importance.

 

OR Mitigation Method

            In most multi detector systems the possibility of one detector detecting an intrusion while the other doesn’t.  The mitigation strategy to alleviate this problem HDE uses an OR relation, meaning it will send an intrusion present in the event that one or the other finds an intrusion whether through pattern recognition or through SNORT signature based detection.   This ultimately gives the best of both world approach to the DDoS attack scenario.

 

Conclusion

With the three different approaches covered in detecting, preventing and mitigating DDoS and DoS attacks.  It’s extremely easy to be excited about all three approaches.  However, Tracemax as a concept is very bold in going after the attribution theory in cyber security.  But the concept of Tracemax falls apart when getting to a realistic implementation of the software.  The adoption rate would need to be accepted globally for this approach to work.  For this reason, we can see that we are very far from Tracemax becoming a reality.  The most feasible are the MCA anomaly based detection system and the hybrid intrusion detection system, H-IDS.  As the H-IDS system works in theory bringing best of both worlds together.  The speed of detecting a DDoS is a critical part of the detection equation and for this reason we would need to compare both H-IDS system versus the MCA anomaly systems.  As both target improving on the speed of detection.  Within H-IDS system research paper the researchers tested against a standard anomaly based detection system.  With the added MCA component to a normal anomaly system, it would be interesting to see the results.  We could only conclude that the speed would be better in the MCA anomaly based detection system and the accuracy is only slightly better in the H-IDS system. (Brox, 2002), “Anomaly testing requires trained and skilled personnel, but then so does signature-based IDS. And, anomaly testing methods can be guaranteed to provide far more effective protection against hacker incidents.”  Ultimately one would have to believe the speed isn’t the only factor and decision has to be based on a company’s line of business and size.  Both solution would catch the DDoS and be able to identify how to block access, but how much maintenance is required due to false positives?  This is the deciding question that needs to be addressed and can only be done on a company by company bases when adopting one of these methods covered.

 

tracemax_table

Table 1. Tracemax compared to other trace programs.

hybriddetectorids

Figure 1. Model of hybrid IDS system

References

Grace, C. J. C., Karthika, P., & Gomathi, S. (2016). A System for Distributed Denial-of-Service Attacks Detection Based on Multivariate Correlation Analysis. system. American Psychological Association. (2010). Publication manual of the American Psychological Association (6th ed.). Washington, DC: Author.

Hillmann, P., Tietze, F., & Rodosek, G. D. (2015). Strategies for Tracking Individual IP Packets Towards DDoS. PIK – Praxis Der Informationsverarbeitung Und Kommunikation, 38(1/2), 15-21. doi:10.1515/pik-2015-0010

Somani, G., Gaur, M. S., Sanghi, D., Conti, M., & Buyya, R. (2015). DDoS Attacks in Cloud Computing: Issues, Taxonomy, and Future Directions.Somani, G., Gaur, M. S., Sanghi, D., Conti, M., & Buyya, R. (2015). DDoS Attacks in Cloud Computing: Issues, Taxonomy, and Future Directions.

Cepheli, Ö., Büyükçorak, S., & Karabulut Kurt, G. (2016). Hybrid intrusion detection system for ddos attacks. Journal of Electrical and Computer Engineering2016, 1-8. doi:10.1155/2016/1075648

Brox, A. (2002, May 1). Signature-based or anomaly-based intrusion detection: the practice and pitfalls. Retrieved from http://www.scmagazine.com/signature-based-or-anomaly-based-intrusion-detection-the-practice-and-pitfalls/article/30471/

ARBOR NETWORKS SECURES PATENTS FOR DDOS DETECTION. (2015). Computer Security Update, 16(7), 4-6.

Zetter, K. (2016, January 16). Hacker lexicon: what are dos and ddos attacks? | wired. Retrieved from https://www.wired.com/2016/01/hacker-lexicon-what-are-dos-and-ddos-attacks/

Manohar, R. P., & Baburaj, E. (2016). Detection of stealthy denial of service (s-dos) attacks in wireless sensor networks. International Journal of Computer Science and Information Security14(3), 343-348.

 

 

Hardening your Access Control

Managing Access to Information Resources

When first considering how to organize information resources in a company one would first need to establish an access baseline. (Schwartz, 2007) says, “By doing this, you’ll see the holes in your current processes and quickly nab any gross offenders, such as “someone who’s running a business out of their cube.”  By identifying the roles that current employees have and going down the list by job title will tell a lot about where you need to go with your access control strategy.  This could also be a recertification effort.  Where employees would have to get certified for sensitive application access.  Next I would automate the provisioning process for access activity.  Identity Service Providers such as Centrify have proven invaluable to organizations with an application workflow provisioning system built-in.  There are many other flavors of this. (Schwartz, 2007) states, “according to a new survey of 600 organizations’ identity and access management practices conducted by the Ponemon Institute, 58 percent of companies use mostly manual monitoring and testing to monitor access policy compliance”

Next a security engineer should focus on finding business cases for the access control.  Most companies access control programs are driven by regulatory compliance versus the need of the business to have them.  Establishing regular meetings to address new company access control business cases will be very beneficial moving forward.  It’s important to get the right information to the right people faster, (Schwartz, 2007). Following this it would be best to tie your access controls to your company’s direct regulations.  Whether it makes more sense to have specific access controls to Sarbanes Oxley, PCI, or both.  State regulations vary but if a company is handling data badly was accessed they may need to notify every affected state resident, (Schwartz, 2007).

Above all the necessary practice of least privilege should be used at all time. (Anderson, 2008, p. xx) states, “Programs should only have as much privilege as they need: the principle of least privilege. Software should also be designed so that the default configuration, and in general, the easiest way of doing something, should be safe.”  This should be just the norm of operation throughout the company from business to IT resources.

 

References

Anderson, R. (2008). Security engineering: A guide to building dependable distributed systems. Indianapolis, IN: Wiley Pub.

Schwartz, M. (2007, March 27). Access control: 10 best practices — enterprise systems. Retrieved from https://esj.com/articles/2007/03/27/access-control-10-best-practices.aspx

New Privacy Issues Related to Cyberspace

In the streaming media industry privacy issues are a very large problem.  As you watch your favorite movie or listen to your favorite playlist services collect an extraordinary amount of data.  This includes location data, personal identifiable information, behavioral data and others.  In this industry each of the companies that we’ll analyze is looking to get an edge on the other to make a completely customizable experience for their customers.  The question is how do the company’s privacy policies compare to one another?  We’ll take a look at Netflix, Walmart VUDU, and Xbox streaming services.

Netflix

Netflix is one of the largest streaming services in the world.  It’s a subscription based service much like the others that provides on demand movies either by streaming but also by mail.  According to Forbes Netflix is worth 25 billion dollars.

Mission Statement

Netflix’s mission is to provide streaming services to its customers.  (Farfan, n.d.)  says, “[Netflix] doesn’t have an “official” published mission statement, but at the Dublin Founders conference in October, 2011, co-founder and CEO Reed Hastings expressed a clear vision for the future of Netflix.”  Netflix is striving to become the best global entertainment company.  It is also seeking to license entertainment content all around the world (Farfan, n.d.).  The CEO continues by saying that Netflix is also creating markets for filmmakers around the world.

Privacy Policy

Netflix’s privacy policy is laid out with a very simplistic and easy to read method.  It discusses the three main points of who, what, and why.  The privacy explains who Netflix gives your personal identifiable information to.  It also discusses what types of information that it captures from its user base.  It also discusses why by stating the California Online Privacy Protection Act or COPPA and what this act mandates.  It also explains how it collects some of the data.  This includes the ability for a user to remove themselves from getting certain emails and disclosing other information.

Recommendation

When comparing the Netflix privacy agreement, it reads very brief.  The only section that are robust in detailed are the section concerning the COPPA and Email regulations that it needs to find.  I would suggest to clarify in more detail exactly what the company was using the information for.  Stating that the company was just using information to enhance the customers experience seems to be very vague.  Telling Netflix’s customers exactly what they’re doing with the information will allow the customer base to have more trust in the streaming service.  The second part of their mission statement says that it’s creating markets for filmmakers.  The privacy policy should state as to where the PII information is being used and for what.  This shows that the Netflix user base aren’t aware of the demographic data which is being built and or how long it’s being stored for.

 

Walmart Mission Statement

Walmart is a giant in the retail industry has a very simple mission statement.  Saving people money so they can live better.   (“Walmart corporate – we save people money so they can live better,” n.d.) states, “Our everyday low price model and next-generation approach to seamlessly integrating the online and in-store shopping experiences to meet the evolving needs of our customers, have delivered growth, leverage, and returns for our shareholders.”  Walmart has a streaming service called VUDU.  Much like Netflix it delivers streaming movies and entertainment content to its customers.

Walmart Privacy Policy

Walmart’s privacy policy is very thorough and easy to read.  It discusses the four main questions who, what, why and how.  It also lays the privacy policy out similar to Netflix as it looks like a Frequently Ask Questions section of their website.  Walmart does a great job in disclosing not only that in distributes your personal information to third parties but it also takes it a step further by describing who and why and they do.  (Walmart) states, “We share personal information about you with service providers that help with our business activities, including shipping vendors, billing and refund vendors, payment card processors, and companies that help us improve our products and services.”  Compared to the other two privacy policies especially Netflix this is worded in a very clever way that allows customers to feel comfortable without giving away their business process.  As a added bonus Walmart also goes into different emergency scenarios that they would disclose your PII data.  Which isn’t present on either the Microsoft privacy policy as well as the Netflix policy.

Walmart Recommendation

Walmart as a whole covers a lot of different products and services.  It’s privacy statement had little mention of streaming services and what it’s using your PII for in the conjunction with their VUDU offering.  A recommendation would be to isolate the streaming service and put a section on how it’s used.  Currently the way the privacy policy is laid out it states usage around it’s bread and butter services and product lines which is retail and ecommerce.  Walmart should look to create a larger more directed section towards this service.   (“Five potential privacy pitfalls for app developers mozilla hacks – the web developer blog,” n.d.)   says, “Despite your best intentions to respect user privacy, legal requirements and user expectations can vary widely – a challenge made especially acute now that apps are available to a global audience.”  Walmart has to watch out as their audience may change from there retail and ecommerce offerings to their streaming service.

Microsoft Mission Statement

Microsoft is a global company dominating in the streaming service space as well.  Much like Walmart, Microsoft has a variety of product and service offerings to its consumer other then it’s streaming movie service.  Microsoft’s mission is to enable people and businesses throughout the world to realize their full potential.

Microsoft Privacy Policy

Microsoft also has a very thorough privacy policy.  It allows a customer to clearly read what they are opting into and the types of information that it’s capturing.  Unlike Walmart, Microsoft seems to be disclosing a large amount of its business to the consumer.  The policy not only states that it’s using PII from information that’s offered willingly but it also goes into detail about how the company uses third party services to get other information on customers to build profiles.  It also uses verbiage to increase customer experience.  Highlights also discuss how Microsoft uses Kinetix camera’s to take pictures and upload to the Microsoft servers once connected.

Microsoft Recommendation

Microsoft should really consider how much data is needed for each service and or product offering.  It’s detail in its policy not only makes it difficult for the company to maintain but it also gives a sense of distrust from the customer.  The company also seems to have the same approach as Walmart which is the one size fits all approach.  Privacy policies should be more specific to the service and or product so that the user knows in which service their PII is being used and how.  Instead of being vague when discussing which service or product.

References

Farfan, B. (n.d.). Netflix mission statement – mission, values, global vision, founders facts, and trivia about netflix movie rental website. Retrieved from http://retailindustry.about.com/od/retailbestpractices/ig/Company-Mission-Statements/Netflix-Movies-Mission-Statement.htm

Microsoft accessibility mission, strategy, and progress. (n.d.). Retrieved from https://www.microsoft.com/enable/microsoft/mission.aspx

Privacy policy » what’s on netflix? (n.d.). Retrieved from http://whatsonnetflix.com/privacy-policy/

Privacy statement. (n.d.). Retrieved from https://privacy.microsoft.com/en-us/privacystatement

Walmart corporate – we save people money so they can live better. (n.d.). Retrieved from http://corporate.walmart.com/

Walmart Privacy Policy. (2015, March). Retrieved from http://corporate.walmart.com/privacy-security/walmart-privacy-policy

Cyber Vigilantism and Pro-Active Defense

Cyber Vigilantism and Pro-Active Defense

Cyber Vigilantism is a term used as an attack back against cyber-attack on a company.  Allowing a company that has been attacked to counter back or “Hack Back” a potential hacker or hacker group.  The act of hacking back is highly illegal due to the Computer Fraud and Abuse Act.  (Riofrio, 2013) states, “This law has undergone numerous revisions since it was first enacted in 1986, but Title 18, Sec. 1030 is clear on the point that using a computer to intrude upon or steal something from another computer is illegal.”   This is obviously immoral.  (Riofrio, 2013) continues by saying, “What’s clearly illegal are offensive hacks, where you leave your territory and actively pursue an assailant online.”

If a company decides to partake in Cyber Vigilantism no matter how satisfying this maybe they are opening entirely to many doors.  What happens when a company doesn’t have the means to attack back or to go bigger than an attacker?  Will companies need to try and hold their own with cyber militaries or terrorist groups?  It’s a bad decision all around to open up the playing field blurring the lines of hacking for good and hacking for personal gain. (Fisher, 2013) says that “Foreign Policy’s John Reed points out that hackers often deploy their attacks from “hijacked computers belonging to innocent bystanders,” meaning that a corporate retaliation might end up targeting people who’ve done nothing wrong.”

Proactive Defense to me means many things.  Instead of focusing on offense many companies need to focus on defense.    The defense in depth approach is increasingly promising.  Also the ability to understand what your most sensitive data is and be able to protect that with harder security then other areas of your business.  I also like what CloudFlare has done to slow down known criminals.  CloudFlare believes in slowing down a criminal’s resources by monitoring patterns and immediately restricting resources.  I believe this is largely effective.  Coupled with good internal defense in depth practices makes for a strong security posture for any company.

 

References

Fisher, M. (2013, May 23). Should the U.S. Allow Companies to ‘Hack Back’ against Foreign Cyber Spies? The Washington Post. Retrieved 2016, from http://www.highbeam.com/doc/1P2-34692413.html?refid=easy_hf

Riofrio, M. (n.d.). Hacking back: Digital revenge is sweet but risky. PCWorld.

Duhigg, C. (2012). How Companies Learn Your Secrets. Retrieved February 17, 2016, from http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?_r=0

What are hackers motivations?

Hacker Motivation and Threat Mitigation

Cybersecurity attacks are becoming more frequent and costly.  The rise of the internet of things gives more opportunities for potential hackers to capitalize.  (WAGSTAFF, 2016) says, “Often, a skilled hacker can break into a new IoT device within a matter of days, if not hours.”  But what motivates someone to carry out criminal activity such as this?  To analyze the motivations, we need to first break the classes of hackers down to six unique groups Elite Hackers, Script Kiddies, Cyber Terrorist, Disgruntled Employees, Virus Writers, and Hacktivist (Fitch, 2003).

Motivations

Elite hackers seem to largely not motivated to conduct criminal activity.  (Fitch, 2003) says, “It is generally agreed upon that elite hackers do not engage in criminal activity or harbor malicious intent but rather expose security flaws and other coding problems.”  Just having the knowledge, skill and ethics usually puts Elite hackers on the right side of the attacks.  Motivating them to not only stay away from criminal activity but help more administrators and businesses keep their companies safe.

Script Kiddies are a different story.  This class of hacker tends to be one of the least skilled in the hacker community.  Many of the motivations for Script Kiddies are ease of attack.  Many of the attacks are reusing tools that come from elite hackers against easy targets.  Take for instance the BlackPOS malware found in the Target and Neiman Marcus breaches.  Sergey Taraspov a Russian 17-year-old boy was allegedly accused of creation of the malware, but it was soon found that he was more of a technical support during the breach.  He was using one of 40 different builds of the known malware that was found on the black market (“17-year-old suspected to be creator of BlackPOS malware used in Target data breach – E Hacker News,” 2014).

Cyberterrorist seem to be the most serious of hackers.  This class also houses nation state hackers as well as groups such as ISIS.  These hackers are largely motivated by anonymity that the internet brings.  Allowing these hackers to conduct information gathering as well as governmental spying in plain site (Fitch 2003).

Disgruntled employees are the most dangerous allowing them to gain access into critical areas of the company.  Their ability to have insider information by understanding a company’s inner policies and regulations. (Song, n.d.) says, “Reuters once reported that Edward Snowden notoriously persuaded NSA employees to give him their password by telling them he needed their personal information to properly do his job as a system administrator.”  There are many different ways for these insiders to exploit company information.  It’s easy to see how these hackers are considered the most dangerous.

Virus writers are considered to be almost an auxiliary class of hackers.  Virus writers are known for writing code that take advantage of exploits that different class of hackers develop.  Combining these exploits into something that can later be sold on the black-market.  Their motivation is largely financial.

Hacktivists are usually motivated by a cause.  These groups are predominantly hackers not interested in learning software and or hardware, but straight destruction to make a point or to be heard.  Groups that fit into this category would be the infamous Anonymous hacker group.

The best way to defend against this different classes of hackers would be education.  With schools not preparing students to enter the workforce with proper cybersecurity awareness, the key is upgrading these programs on the job, in the community and in the public sector.  (Doggett, 2015) states, “As a frequently targeted group, employees should have a strong understanding of corporate security risks and how they each play a key role in helping to keep a company’s network safe from a cyberattack.”

References

17 year old suspected to be creator of BlackPOS malware used in Target data breach – E Hacker News. (2014, January 18). Retrieved from http://www.ehackingnews.com/2014/01/blackpos-malware-creator-russian.html

Doggett, C. (2015, November 13). Closing the gap on cyber education. Retrieved from thehill.com/blogs/congress-blog/technology/260003-closing-the-gap-on-cyber-education

Fitch, C. (2003, December 26). The psychology of hacking in the new millennium. Retrieved from https://www.giac.org/paper/gsec/3560/crime-punishment-psychology-hacking-millennium/105795

Kabay, M. E., Robertson, B., Akella, M., & Lang, D. T. (2014). Using social psychology to implement security policies. In Computer security handbook (6th ed., pp. 50.1-50.25). New York, NY: John Wiley & Sons.

Song, J. (n.d.). Insider data breach: the hidden hack attack. Retrieved from http://www.business2community.com/cybersecurity/insider-data-breach-hidden-hack-attack-01410396#fP05VKArZLJHiUkQ.97

WAGSTAFF, K. (2016, January 2). Hack to the future: experts make 2016 cybersecurity predictions – nbc news. Retrieved from http://www.nbcnews.com/tech/internet/hack-future-experts-make-2016-cybersecurity-predictions-n486766