Cyber Security and Privacy in the Digital Age - 10 Threats and 10 Solutions.

Charles Darwin the famous English Naturalist and Geologist has said that

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change”

The digital age had uplifted human efficiency to a new level which has not been at any point in history. The digital age has provided real-time data which helps individuals and business, this data is at high velocity, varsity, and volume. At the same time data is getting originated by the internet of things, Mobile, tablets, Personal computer, laptops, servers. Along with the great benefits that come with digital there is also need for caution to protect personal data.

I am going to highlight 10 every day threat we face to our security and privacy and 10 Solutions.

Our Security and Privacy is threatened in the following Ten ways:

1.      Virus, Malware, and Ransomware in PC and computers.

2.      Outbound Spam emails.

3.      Mobile devices

3.1.   Mobile devices used in public unsecured network.

3.2.   Connecting Mobile device for power in public places using a data cable.

4.      Man, in middle attack like:

4.1.   Session Hijacking.

4.2.   SQL Injection.

5.      Sharing sensitive data over the phone.

6.     Sharing password, brute force attacks or being uncareful with a password like writing the password at the place where everyone can see or using a weak password.

7.   Social Engineering: Social media contacts with fake accounts or compromised social media accounts or bots.

8.      Identity Theft: Email or social media identity theft.

9.      Insider threat: the threat from disgruntled employees.

10.  Trusted software: We use many software and hardware, we need to be careful with corrupted or software with bugs in them which can affect data privacy.

The Ten Solutions are as follows:

1.      Use an appropriate antivirus software.

2.      Never use auto selected public network on your smart phone but instead manually choose a public network.

3.      Try to connect to a  public network on a WAP2 network protocol.

4.      Never transfer critical or confidential data in public network, especially banking information

5.      Always opt for an https rather than HTTP, this means is encrypted to help mitigate session hijacking to an extent. Hypertext Transfer Protocol (HTTP) for secure communication over a computer network and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL).

6.      Never share confidential information on Social media.

7.      Always use trusted software or hardware provided by the trusted source.

8.      Always download and use the trusted application on mobile phones.

9.      Configure you WIFI device on WAP2 protocol and have a strong password.

10.   Use a strong password for your social media or email accounts and be careful with your password, do not share or do not write your password on sticker note. If possible use anti-glare screen.

Baton Gellman the American Journalist and best-selling author has said 

‘Privacy and encryption work, but it's too easy to make a mistake that exposes you.’

Digital Certificates

Digital Certificates

We do most of our transaction digitally right from our Banking transaction to our Mobile eCommerce transaction, or IOT based transaction etc., hence to do a secure digital transaction we use the digital certificate. Digital Certificate is a certificate issued by a Certification Authority validating the individual or organisation. The Certificates validates that a website or mobile transaction platform is trusted and safe.

Some of the important things to look out are:

-  Who issued the certificate?

-  Who the certificate is issued to.

-  Valid to

-  Public Key 

-  Digital Signature.

Certificate are used for identification and encryption which grants the right to access information or other services online. It includes ensuring the identity of all parties involved. They include public key that is used of encryption of data like email document, secure web transaction etc.

Public Key Infrastructure (PKI): As mentioned above PKI is also known as trusted hierarchy, public key infrastructure is a system of Digital certificates, Certification Authorities (CA’s) and other registration authorities (RA’s) used to verify and .authenticate the validity of parties involved in an internet transaction.

Digital Signature: A Digital Signature is based on asymmetric cryptography. Digital Signature has a Hash function which represents the digital signature which is mathematical value for that certificate. It’s a one-way process using a private key to generate a digital signature, the same can be checked by using a public key for Decryption which again is a mathematical value and outcome should be the original Hash value which would ascertain that the certificate is not altered or damaged. If the hash value is not correct, it would mean that the certificate is corrupt or is tampered with. 

A private key is paired with the Public key; however, the private key is stored separately.

A certificate includes the certificate holder's public key, information about individual, computer, or organisation to which the certificate is issued, information about certification authority (CA), the date of issue and expiry of certificate and the serial number of certificate.

Certification Authority: Certificate is essentially a file with data in it. Hence the trust model work in certification to validate the data and Certification Authority role is important. The Certification Authority does the checks before issuing the certificate and that it’s trusted. The Certification authorities certify and create an electronic document that is a Digital certificate that verifies individuals and organization are who they say they are. Hence is also important that Certification Authority is also a Trusted Source. The organization can have an additional level of certification authority normally followed is Root SA and child SA trust model. 

A CA essentially is a hierarchical system composed of software, hardware, procedures, policies and administrators who validate the request and generates certificates. 

Now with sources of the transaction happening over Mobile & IOT apart from Web Digital Certificate has high importance for security while we do digital transactions.

Hardware Security Architecture.

Hardware Security Architecture.

Hardware security is an important aspect, firstly any one who is using machine today is getting some form of protection from hardware, secondly there are more security oriented properties that are coming in new chips in market in couple of years, and thirdly there are important properties that can only be build on hardware and software can build on those.

Machines today are connected and vulnerable to cyber threat. The type of threats we have are Memory corruption, data disclosure, code injection, control flow diversion, return oriented programming. The types of method attacker today can use are Type – Instruction, data, pointer, Extent – Base, Bounds and Ownership – component, access right. Architecture grantees that every thing would be right.

A lot of security issue we face today is because of the hardware security Architecture issues. Originally Multics was a machine designed for security, however machines that we have today security is an after thought. Multics was originally a project between MIT, which was designing things, General electric who was making hardware and Bell labs who was the user. However bell labs got little nervous and wanted some thing that work then and they designed a much simpler system on a less expensive piece of hardware and the system was called Unix, which was a trimmed down, lesser feature output of Multics. Unix was later widely used and is the predecessor of Linux and variety of system we used today.

In this transition what we lost was the idea of segmentation, we lost the idea of rings. What it carried forward was some ideas from Multics, ideas of permission and level of privileges, which in most machines that's just at the kernels as against user made distinction in Multics. Multics was programmed in a higher level language called PL/1, whereas Unix moved to a very low-level language called C, which is also the reason of lot of problem we face today.

Multics had some very important, very high leverage usage particularly in defense system. It work on fundamental three principles, first of these is of complete mediation, Secondly, separate privileges, and thirds principle is of least privileges. The fundamental principle was to do its job most of the time the Kernel does not need to read your data, segmentation at memory and use of access control rings.

Multics was much earlier a project in MIT, the idea of which was to develop a computer utility which could share its very expensive resources and people could access these resources. And the next leap today, which is now taking forward Multics is Cloud computing a network computing of all different kind of client server architecture.

The other things thats happening is at processor level it can make sure that only high users can access high data and thing that’s coming now is is fat pointer which means that every pointer to the memory is bounded above and below which bounds of the object which the pointer is pointing into and Intel has a feature MPX which helps enforce this property.

GDPR Summit London 2017

I today attended GDPR Summit 2017 in London, I am intrigued by GDPR as it gives power and rights to common citizens and many countries are following the same. As one of the speakers put it IT  has  led societies transformation and evolution however it has to now be balanced or normalized with other aspects of life. GDPR is primarily meant for the good of the citizen, and the society, the purpose of GDPR is to make sure that companies use personal information with the consent of individual which can be their employees (current, past or people they might have interviewed), suppliers and customers. The Individual would have the right to take back their consent as and when required and their data would be deleted from company’s system. 

The deterrent for GDPR non-compliance is not just the 4% or 20 million Euro fine but also the fact that the companies can also be barred by the regulator from processing data temporarily or even permanently. The positive side is making Data ethics a competitive advantage.

The stake holders in organisation GDPR implementation are Legal, Human Resource, Information Technology and Marketing. DPIA – Data privacy impact assessment under article 35 of GDPR is another aspect. High-risk processing activity under article 35(7)a of GDPR processing is an important factor. Employee consultation and survey for the customer is recommended. Also in case of cloud computing the responsibility would be with the controller. Some of the addition to Article 30 include article 7, article 15-19, article 20, article 32, article 44 – 46.

Data Privacy Officer is the mandatory position for all companies, and privacy officer and Data privacy officer is two different roles. Data Privacy officer can also be a part-time role. Another aspect was right to be forgotten, and the fact that ERP does not delete the data but red flags it and the data do not pop up in the system but resides in the system is understood. Hence analyzation and tokenization of data are recommended. In tokenization audit, trail and Login function match should be conducted analyzed and blocked.

Another aspect of data privacy came out on Application security and IoT – Internet of things. While Application security primarily included session hijacking, phishing, etc., IoT can also lead to a possible source of infiltrating into the network and accessing the data. Hence Application level and IoT security are an important aspect. Security monitoring is another key aspect function of data privacy. Cloud is another area where need for security  was  emphasized. While Ben Westwood - Data protection Officer of  eBay explained the complexity involved in data privacy management for an eCommerce company.

Marketing is further another function that gets impacted by GDPR, email campaign, cookies tracking, search engine optimisation can no longer be conducted without the consent of the customer, and customer consent form should be simplified for the understanding of an ordinary computer or smart phone user. It was also acknowledged that the Personal data of non-corporate users is almost around 80% of the data under GDPR which is processed by companies, while 20% is the employee data and hence solutions need to be planned and designed basis same. 

It was acknowledged that countries like India, Singapore, Hong Kong have also adapted data privacy apart from Europe. Countries like South Africa have their own data privacy law POPI.

The IT adaptation in every individual life has penetrated to a large extent, in fact, it has impacted the way we live our lives and conduct our business, and this has rapidly involved in past 15  to 20 years and needs some form of governance hence idea to bring principles and ethics into the equation. The intent and heart to introduce GDPR is in the right place and companies would need to live with this new reality and comply. However to over seeing GDPR regulation would require highly intellectual indivituals with high integrity and conviction as there is possibility of alternative narrative been given and they would have to distinguish between narrative in interest of people and society against vested interested.

Security Operations Centre (SOC)

Security Operations Center:

A Security operations center (SOC) is that facility or multiple facilities of an organization or an organization’s service provider having qualified people using string set of technology solution and a strong set of process. The operation conducted by a SOC is of continuous monitoring, analyzing and responding to security posture and the threat to an organization.

The Three tenant of a Security Operating Center are People, Process and System. The harmonic synchronization of the three provides the organization with Visibility, Analysis, and Action.

- People: Includes trained people with certification, knowledge and vendor specific experience and skills.

- Process: Includes preparation, analysis, recovery, identification, containment, learning and knowledge retentions & transfer.

- System: Includes the End Point Protection, Perimeter Security, Data Center Security, Forensics and Incident Detection Management.

This allows for Data Aggregation, Data Analysis and 360 degree real time dashboard for the organization to detect, prevent and respond to any threat at the same time to do Forensics.

https://youtu.be/uj8PuaXyygU

The SOC operation typically can be broken up into Monitoring, Analyzing and Responding to Insider threat and that too of outsider threat.

-    The insider threat would typically be from employees or value chain partner like supplier and buyers. And organization would want the SOC to monitor Identity & Access Manager (IAM), Privileged Access Manager (PAM), Active Directory, Data Leakage Prevention(DLP), Compliance tools, etc.

-    The Outsider Threat is monitoring of Network Security – Firewall, Network IPS, Network Security Appliance for Email, The Web, etc., End Point Security, Data Center Security, NAC, Network Access Control.

A typical SOC would have some form of SIEM – Security Incident Event Monitoring and a Log collector to collect log from various security tools at various sites and some for security intelligence.

However, the security landscape has changed SIEM alone is no more as effective since the security and digital landscape has evolved. The threat landscape now also includes Social Engineering, Mobile devices & BYOD – Bring your own device has new challenges and threat thrown at the organization for application and content security. IoT – Internet of things present new form of security challenges, Industrial Security & Physical Security are as important as IT- Information technology security. And cloud migration brings new form of security integration challenges at least in short term. There is a lot happening outside the organization echo system in their industry and deep dark web which can affect the organization, its IT & Industrial asset, intellectual property and bring down their operation.

An organization should look at the tool and solution that address these new challenges to security in their Security Operating Center. All this requires to look into various facets of security, and this would involve data monitoring inside and outside of organization which is structured and unstructured at the same time would be in high volumes, varsity, and velocity hence organization or their service provider would need Artificial Intelligence (AI) to help them.

Future looking SOC would not just monitor IT, but also OT  (Operational Technology /Industrial) asset should have various advance treat analytics solution embedded along with threat intelligence, Integrated real-time dash board along with Forensic capabilities to allows access to the SOC provider customer in case organization use a third party SOC. Most importantly the SOC should be global and be having redundancy. It is imminent that Artificial intelligence is plugged to the SOC and the organization ties up with the external academics research center to get updates on research being carried out in the Security landscape.

Operating System Security

Security is a negative goal, and an attacker can break the system by many ways like permissions, disk locks, reuse memory, backup, steal disk, attackers grades.txt. The goals of Policy goals of an organization are Information Security and Liveness, which are as follows:

Information security goals include: Privacy- Limit who can read the data & Integrity: limit who can write the data.

Liveness Goals are: Availability- which is to ensure services are operational.

Operating system Security (OS Security) is the process of ensuring OS integrity, confidentiality, and availability. OS security refers to specific steps used to protect the OS from threat, viruses, malware or remote hacker intrusions.

Risk model of assumption: Threat modeling is a process by which potential risk can be identified, enumerated and prioritized from a possible attackers point of view. An adversary can be inside the organization or can be outside the organization. The adversary can be a hardware vendor, software vendor, administrator, employee or competitor, enemy state etc someone outside the network.

The threat model in this case are:

-   Adversary control some computers or network.

-   Adversary controls some software on computers.

-   The adversary is privy to some information such as password or keys.

-   Social engineering attacks.

- Adversary trying to hack or attack the network or system from outside.

Guard model of Security:

Typically in a client-server architecture, we would have some resource (data) on a server which would be accessed by the client. In guard model, the server would consult a guard for all access control decision. Hence this model follows complete mediation as the only way to access the resources which are via the guard.

The design of the guard model is on two basic principles which are Authentication and Authorisation, and this simplifies security.

The model works on following principles.

1.   Complete mediation: All resources are accessed only via the guard.

2.   Policy and Mechanism: High level concise and clear policy and well lined up security mechanism.

3.   The interaction between layers and components.

4.   Taking into cognizance social engineering and phishing attacks.

The challenges with model are:

1.   Complete mediation is challenging: Backdoor access also needs to checked.

2.   Software bugs in mediation.

3.   The disparity between Policy and Mechanism.

4.   Difficulty in enforcing policy and getting the desired outcome.

The Guard model does not provide full prove solution to all security challenges, another option we have is the separation of privilege. We can split the system into modules and give each module the least privilege to do its job.

1.   Use multiple physical machines. Separate machines for database and websites.

2.   Use of virtual machine to split.

3.   Application to be split in components.

Challenges in the Privilege separation

1.   The need for modules to share.

2.   Performance.

3.   The configuration of privileges.

4.   Reduce trusted software.

Trust computing base (TCB)

TCB is the set of hardware, firmware or software components, which are critical to its security systems. The bugs or vulnerability might affect the security property of the entire system. The principle is that all software that must be trusted to achieve security. The another theory is that less software would lead to fewer bugs and this would eventually lead to fewer exploits.

Challenges in TCB:

1.   Undermining of privilege separation.

2.   New and undiscovered class of bugs.

3.   Many bugs.

We also face security challenges due to Program, Compilers, and codes. We would need to take measures like disabling certain optimization, use bugs finding tools, look out for undefined behavior.

Cyber Security.

With the rise of acceptability and usage of Information Technology most of our data now resides in digital world and Information security is very critical aspect for today’s companies, institution, government and public sector. The companies’ data are vulnerable from external malicious attacks, through internal triggered data leakage and via information passed by emails or social network. As the concept of Bring your own devices to work place further catches up it is bringing new challenges for CXO’s at the work place. For Government as well the challenges are monitoring and securing their own Infrastructure at the same time with the evolution of social media, VOIP, Mobile etc which has many advantages but also possess potential treat and data monitoring is another aspect of Security surfacing. In future war would not be fought on battle field but in cyber world and cyber security is the most critical aspect, if a country targets top 10 Companies of a country and penetrate their IT infrastructure they can possibly bring down the economy, similarly different Government departments like Income tax, CBEC, EPFO, Defense etc are again very critical and cyber security has to be upmost priority. We recently had a case where Sony pictures in US was hacked by a Government of a country and Just last week Russian banks found out that their IT network for penetrated and around 2 billon per annum was transferred that exposed the Information Security vulnerability of these organizations. Information security not just requires right products like, HIPS, DLP, End Point protection, Control Compliance Suit, Encryption, MDM, Asset Management, and Patch Management etc but requires regular Audit and Monitoring. As we step in future we would have to manage legacy infrastructure with latest new and evolving technology and trends, Cloud commuting is inevitable and Organization would need to be ready to secure their Infrastructure from all possible threats.