risks

The Evolution of Cybersecurity: NIST Cybersecurity Framework 2.0

/ bugejajoseph / Leave a comment
Photo by Tima Miroshnichenko on Pexels.com

The National Institute of Standards and Technology (NIST) reached a significant milestone on August 8, 2023, with the release of the draft for NIST Cybersecurity Framework (CSF) 2.0. This step marks a positive advancement since its inception in 2014. The CSF is a cornerstone in reducing cybersecurity risks, offering comprehensive guidance to organizations in comprehending, evaluating, prioritizing, and communicating these risks, along with actionable measures to mitigate them.

CSF 2.0 extends its influence, delivering invaluable cybersecurity insights to organizations of diverse sizes and industries. A pivotal change is evident in the revised title, which omits the term “Critical Infrastructure” (previously named “Framework for Improving Critical Infrastructure Cybersecurity”), highlighting its broader applicability.

At the core of CSF 2.0 lies an intensified emphasis on the indispensable role of governance in the realm of cybersecurity. Acknowledging its foundational significance, strong governance emerges as the bedrock of an effective cybersecurity program. By positioning governance as the cornerstone, the framework guides organizations in steering the other five functions—identify, protect, detect, respond, and recover—aligned with their mission and stakeholder expectations.

A compelling highlight of the draft pertains to the criticality of supply chain risk management. It underscores the imperative need for holistic risk management programs that address the vulnerabilities associated with suppliers. Additionally, a clarion call for proactive third-party risk monitoring resonates throughout the document, underscoring the importance of a vigilant stance.

In an era characterized by dynamic cyber threats, the adoption of advanced frameworks becomes an inescapable imperative. The integration of NIST CSF 2.0 into our strategic cybersecurity approach is paramount. Furthermore, forging alliances with industry leaders amplifies our collective efforts in fortifying our digital defenses against the ceaselessly evolving landscape of digital threats.

In conclusion, NIST Cybersecurity Framework 2.0 signifies a monumental stride towards bolstering our digital resilience. By embracing its principles and fostering collaborative partnerships, we equip ourselves to navigate the complex challenges posed by the digital age.

Read more here: https://www.nist.gov/news-events/news/2023/08/nist-drafts-major-update-its-widely-used-cybersecurity-framework

Popular smart home brands may be allowing the police to conduct warrantless home surveillance

/ bugejajoseph / Leave a comment

The security cameras in our smart homes from well-known smart home brands like Amazon and Google might not just be watching over our pets. According to an article in The Verge, they can also aid law enforcement in their investigations of crimes, but only if we do not mind the police viewing our footage without a warrant.

That implies that the police can access our private information without first presenting proof that an emergency situation exists. Police will probably only make use of this access for lawful objectives, such as preventing crime or attempting to locate a missing person in need of assistance. However, it does raise some issues regarding what may transpire when this technology becomes even more widely used and available.

What if, for instance, this access is utilized to locate and detain activists or protestors who have not breached any laws? Citizens may only exercise caution when shopping, be aware that their smart device may record personal information, and, if possible, enable end-to-end encryption.

If you have any questions about how to secure your smart home, do not hesitate to contact me.

The Internet of Things and Security

/ bugejajoseph / Leave a comment

The Internet of Things (IoT) is changing the way we live. The IoT is the idea of having devices that are connected to each other and can be controlled via the Internet. Cameras, refrigerators, alarm systems, televisions, and other electronic gadgets are examples of such devices. The IoT has contributed to giving people an improved quality of life.

But how can we put our trust in all of these IoT devices? How can we be sure they will not turn against us? How will we know whether or not the device we are utilizing is safe? All of these questions are key to unlocking growth in the IoT.

IoT devices can be both, physical and virtual in nature. They can have a variety of different functions, from being a simple remote control to being a complex system that monitors the environment, collects data, and sends it back for analysis.

Many people do not realize that their smart home devices may contain security vulnerabilities that hackers could exploit. Hackers can enter a smart home or even switch off the power by exploiting weaknesses in IoT devices such as connected door locks and lighting systems. For instance, over the course of one week, a study by the UK-based consumer group Which? discovered 2,435 malicious attempts to enter into devices with weak default usernames and passwords in a fake “smart home.”

Cybersecurity is a critical responsibility for organizations of all sizes, but manufacturers, in particular, must do more to ensure that IoT devices are secure from hackers and do not endanger consumer lives. Recently, in the UK, the Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced subjecting stricter cybersecurity rules for manufacturers, importers, and distributors of IoT technologies. This new legislation intends to better protect consumers’ IoT devices from hackers, as well as help the IoT market get the trust it needs to reach its full potential. 

If you would like to learn about IoT security and how to safeguard your IoT devices, please get in touch.

Security Engineering and Machine Learning

/ bugejajoseph / Leave a comment

This week I attended the 36th IFIP TC-11 International Information Security and Privacy Conference. The conference was organized by the Department of Informatics at the University of Oslo. During the first day of the conference, there was a keynote on Security Engineering by the celebrated security expert Prof. Dr. Ross Anderson.

He discussed the topic involving the interaction between security engineering and machine learning. He warned us about the things that can go wrong with machine learning systems, including some new attacks and defenses, such as the Taboo Trap, data ordering attacks, sponge attacks, and more.

Outline of Ross Anderson’s keynote (IFIP TC-11).

I especially enjoyed the part of his talk where he mentions the human to machine learning interaction. Coincidentally, this is a topic that I am researching. He discusses cases when robots incorporating machine learning components start mixing with humans, and then some tension and conflict, e.g., robots trying to deceive and bully humans, arises. This is a scenario that we should expect to see more in the future.

I highly recommend you to consider purchasing his brilliant book titled: “Security Engineering: A Guide to Building Dependable Distributed Systems”. This book is filled with actionable advice and latest research on how to design, implement, and test systems to withstand attacks. Certainly, this book has an extremely broad coverage of security in general and absolutely worth the purchase!

The Current State of IoT Security and a Glimpse Into The Future

/ bugejajoseph / Leave a comment

On Tuesday 10th March, I  was invited to give a guest lecture about IoT security in Blekinge Tekniska Högskola (BTH) in Karlskrona, Sweden. Karlskrona is approximately 3 hours away from Malmö.

During my lecture, I gave realistic examples of attacks that targeted IoT systems. For instance, attacks targeting consumer drones, electric cars, and IP cameras. I also discussed the technical, procedural, and human challenges involved in securing IoT and some safeguards.

Blekinge Tekniska Högskola.

In the future, I will work to automate IoT security.  Similar to smart devices acting autonomously to perceive and act on their environment, IoT security should evolve towards greater autonomy in detecting threats and reacting to attacks. This evolution relates to the autoimmunity of smart devices allowing for the prevention and containment of attacks in hostile environments.

You can access a condensed version of my lecture here.

 

Weak risk awareness of our connected homes

/ bugejajoseph / Leave a comment

Traditionally, only a handful of household devices were connected to the Internet. Nowadays, we have everyday devices ranging from toasters, lightbulbs, TVs all connected to the Internet and with the possibly of being remotely controlled.  These devices often go by the name of Internet of Things or smart home devices. While these networked devices bring added convenience, efficiency, and peace of mind, they also bring unique perils to the smart home residents.

man-65049_1920.jpg

The more smart devices are connected to the home’s network, the more can go wrong. Malicious threat agents such as hackers can reprogram the devices to attack others, vendors can collect fine-grained information on your activities and behaviours, or your devices could become infected with malware possibly preventing you from entering your home or adjusting the temperature to your liking. Many of the manufacturers making these devices have shallow experience with information security and see security and privacy as a burden. As a result, many of the devices available in the market have little or no security backed into them. For example, some devices come with default passwords that are easily retrieved on the Internet, or they cannot be easily updated or reconfigured in a more secure or privacy-preserving way.

In August 2018, I was interviewed by Malmö University on a similar topic.  The interview was transcribed in Swedish but now you can read the full interview in English at the following link: http://iotap.mau.se/weak-risk-awareness-connected-homes/