IoT Cybersecurity: Two New Documents Published by NIST

July 2, 2022July 1, 2022 / bugejajoseph / Leave a comment

As an IoT practitioner or device manufacturer, it is important to keep up with the latest developments in IoT cybersecurity. The National Institute of Standards and Technology (NIST) has recently released two draft documents for public comment that are relevant to the IoT.

The first is a discussion essay titled “Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity“. This discussion paper lays the groundwork for forward-looking talks on detecting and addressing risks for IoT devices by drawing on NIST’s earlier work in cybersecurity for the IoT (for example, NISTIR 8259).

The second is a draft NIST Internal Report (‘NISTIR’) 8425 titled “Profile of the IoT Core Baseline for Consumer IoT Products“. NISTIR 8425 recalls the consumer IoT cybersecurity criteria from NIST’s white paper on “Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products,” and incorporates them into the family of NIST’s IoT cybersecurity recommendations.

I recommend you keep tabs on these documents, particularly NISTIR 8425.

The CNIL’s Privacy Research Day

June 29, 2022June 29, 2022 / bugejajoseph / Leave a comment

The first CNIL’s International Conference on Research in Privacy took place in Paris yesterday, June 28, and was broadcast online for free. In addition to providing a great opportunity to consider the influence of research on regulation and vice versa, this conference facilitated the building of bridges between regulators and researchers.

During the day, experts from different fields presented their work and discussed its impact on regulation and vice-versa. I attended it online — there were many interesting topics covered by the different panelists. The topics ranged from the economics of privacy, smartphones and apps, AI and explanation, and more. Surely, one of the panels that I liked was that on AI and explanation.

Machine learning algorithms are becoming more prevalent, so it is important to examine other factors in addition to optimal performance when evaluating them. Among these factors, privacy, ethics, and explainability should be given more attention. Many of the interesting pieces I see here are related to what I and my colleagues are working on right now and what I have planned for my upcoming projects.

You are welcome to contact me if you are curious about what I am working on and would want to collaborate.

Never Underestimate the Power of Networking: Tips for Connecting with People at Conferences

June 5, 2022June 5, 2022 / bugejajoseph / Leave a comment

Successful people are good at networking. The value of effective networking can be seen in the job market. Many application forms ask for references from several people. If you have an effective network, these people could also be your referees, and you can choose those who would be best placed to be asked about your suitability for a role.

Networking at conferences is a great way to make connections and find out about what other businesses are doing. It is always best to meet as many people as possible, but one should not be afraid to target their networking efforts at those who seem more interesting or relevant to them.

Here are five tips to be effective at networking at these important events:

1) Planning for the conference. You should be prepared before you even arrive at the conference. Make sure that you are familiar with the program, who is speaking, and what topics will be covered. This will help you decide where and when it would be most useful for you to meet people and make connections. Also, check out the website of the organization hosting the event so that you can see if there are any extra events taking place during the breaks (e.g., after lunch), which might provide further opportunities for networking.

2) Figure out who you need to meet and find them. If you do not know what they look like, ask a colleague. Highlight their names and search for them on the Internet so that you know what they look like.

3) Introductions. Introductions can be made in many ways – when you first arrive at the conference venue, walk around and introduce yourself to people who may benefit from knowing more about what you do or could offer them. Instead of hovering around one person and waiting for them to approach you, make the first move yourself.

4) Take part in the dinner. It is important to remember that it is the coffee/tea breaks, lunches, and dinners that are the prime networking opportunities, so do not stick all the time with your friends and colleagues. Also, remember not to drink too much or choose something really messy to eat.

5) Wear appropriate attire. If you want to be viewed as a serious professional, wear smart clothes. Wearing jeans to a networking event may not be ideal for the type of people you want to meet.

Networking is a skill that can be learned and developed, but it takes time to get good at it. Effective networking means being proactive about your own career progression and developing the skills to be a good networker. It is not difficult to do, but it does require some effort, thought, and planning. I hope that with this post you have learned some useful tips for building your network of connections.

Threat Modeling: Some of the Best Methods

June 3, 2022June 3, 2022 / bugejajoseph / Leave a comment

Threat modeling methods are a set of general principles and practices for identifying cyber threats to computer systems and software. These methods can be applied during the design phase of new systems or when assessing existing security controls against new threats. There are several threat modeling methodologies in use today, ranging from informal processes to formalized models that can be captured within software tools. A summary of some of the most popular threat modeling methods is provided below:

• Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of privilege (STRIDE)

• Process for Attack Simulation and Threat Analysis (PASTA)

• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

• Trike

• Visual, Agile, and Simple Threat modeling (VAST)

• Common Vulnerability Scoring System (CVSS)

• Attack Trees

• Persona non grata (PnG)

• Security Cards

• Hybrid Threat Modelling Method (hTMM)

• Quantitative Threat Modelling Method (QTMM)

• Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance (LINDDUN)

All of the above methods are designed to detect potential threats, except for CVSS. The number and types of threats will vary considerably between the different methods, as well as the quality and consistency of the methods. Which one is your favorite threat modeling method? Are you interested in using some of the methods above for your company or research project?

Panel Discussion on the topic of Designing IoT Systems

April 8, 2022 / bugejajoseph / Leave a comment

I was invited to participate in a panel discussion at Malmö University on Friday, April 8th. The topic of “Designing IoT Systems” was the one I was asked to speak about. There were representatives from Sony and Sigma Connectivity in the panel with me. Concerns about trustworthiness were a major topic of discussion during the session.

Safety, security, privacy, reliability, and resilience tend to be identified by several researchers as the main trustworthiness concerns in the IoT domain. These concerns are there to ensure that systems function as intended in a variety of situations.

According to several academics, the most challenging aspects of designing trustworthy IoT systems are achieving privacy and security. From applications to devices, each layer of the Internet of Things has its own set of security risks and potential attacks. From a research perspective, a hot topic is that of building energy-efficient security, along with scalable and dynamic security architectures. Preserving data privacy in the IoT, on the other hand, is also particularly challenging. Existing IoT privacy mechanisms are often built for single services, and not necessarily for interdependent, dynamic, and heterogeneous services. Building new privacy preservation techniques for interdependent services is a hot topic, as is federated learning when it comes to data privacy.

Panel discussion on the topic of “Designing IoT Systems”

Finally, there are a number of standards that pertain to trustworthiness. ISO/IEC 30147 “Integration of trustworthiness in IoT lifecycle processes” and ISO/IEC 30149 “IoT trustworthiness principles” are two ISO/IEC standards.

If you want to collaborate with me or learn more about a specific topic that is related to my research topics, please send me an email.

Corporate Security Standards, Best Practices, and Frameworks

February 17, 2022February 17, 2022 / bugejajoseph / Leave a comment

Effective information security management involves the use of standardized frameworks to guide decisions pertaining to security. All organizations have a responsibility to safeguard their information assets and reduce risk by using well-defined frameworks that are supported by corporate standards and best practices.

Over the years, many such standards, best practices, and frameworks have been developed for supporting information security managers. Along with ensuring that correct security controls are implemented, it is also important to be able to build and develop the business, IT, and security processes in a systematic and controlled manner. The security controls can be seen as the objects, and the processes are how these objects are used.

A simple depiction of the different security standards, best practices, and frameworks is shown below.

If you wish to learn about any of the above, please get in touch. You are also invited to suggest themes for me to write about.

The Ultimate OSINT Collection

February 10, 2022 / bugejajoseph / Leave a comment

For threat agents, reconnaissance (scouting) and gathering intelligence are vital. The aim is to get as much information about a potential target, as possible. With that information, they can exploit any weaknesses in a system or an individual, which will allow them to gain access to a system. One type of data that is often overlooked by victims and hackers alike is publicly available data. The collecting and analysis of data acquired from open sources (overt and publicly available sources) is known as open-source intelligence (OSINT). Some examples of OSINT are social media, forums, news, blogs, public data and reports, and other publicly available materials.

Red or blue, OSINT could effectively assist threat agents and researchers alike in discovering dark places that they may be unaware of. It allows them to create attack scenarios for red teams or hypotheses for threat hunting. Most cybersecurity initiatives, in my opinion, should include OSINT; a service that is often overlooked. A fantastic one-stop shop for the best OSINT content is compiled by @hatless1der and is available at the website: https://start.me/p/DPYPMz/the-ultimate-osint-collection.

Investigative tools/resources collection from Hatless1der OSINT collection.

Please remember to get in touch if you want to learn more about cyber security research and OSINT.

Cyber Threat Maps

January 27, 2022 / bugejajoseph / Leave a comment

A cyber threat map, sometimes known as a cyber attack map, is a live map of current computer security attacks. These maps allow one to observe attacks as they pass through countries and continents. The majority of the cyber threat maps resemble video games, with colorful light beams indicating attacks from one region of the world to another.

Cyber threat maps can be highly useful in examining past attacks in terms of locations, volumes, and patterns. They can also help someone who is just starting out in their studies to acquire a sense of what is involved in the intricate world of cybersecurity. Last week, I had my introductory lecture on cyber security at Malmö University. I used cyber threat maps in my lecture to help raise awareness of how prevalent cyber security attacks are.

Here are three of my favorite cyber threat maps (listed in no particular order):

• Check Point ThreatCloud Live Cyber Threat Map

• FireEye Cyber Threat Map

• Kaspersky Cyberthreat Real-Time Map

If you want to learn more about the topic of attack detection and how cyber threat maps work, you are welcome to get in touch.

Where are we today with IoT Security Standards?

January 9, 2022January 1, 2022 / bugejajoseph / Leave a comment

IoT security standards are necessary because the IoT is fundamentally insecure. It is hard to predict whether or not an IoT device will be hacked, and even if it is, what data will be compromised. There must be defined criteria for security standards for this technology to evolve responsibly without introducing new problems. Here is a quick rundown of some of the most recent security standards.

In the United States, in December 2020, the IoT Cybersecurity Improvement Act of 2020 was signed into law. This is the first piece of IoT legislation in the US aimed at ensuring that federal agencies only buy IoT devices that adhere to strict security protocols. A new cybersecurity standard for consumer IoT (ETSI EN 303 645 V2.1.1) products was introduced in the European Union in June 2020. The purpose of this standard is to encourage better security practices and the use of security-by-design concepts in the creation of new connected consumer products. The Department of Culture, Media, and Sport in the United Kingdom announced new measures also in June 2020 to protect users of internet-connected household devices from cyberattacks. They implemented a product assurance scheme that requires certified IoT devices to bear an assurance label or kitemark indicating that they have completed independent testing or a thorough and accredited self-assessment process.

When it comes to the IoT, one of the most crucial considerations is security. As the IoT grows more intertwined in people’s lives, security standards are required to keep it safe from hostile attacks and prying eyes. There is so much that can be done to improve IoT security, and this is an opportunity for bright minds to get together and influence the IoT’s future.

Finally please remember that you are welcome to contact me and suggest themes for future posts.

The Benefits and Drawbacks of Doing a Ph.D. at Different Times in Your Life

January 5, 2022January 1, 2022 / bugejajoseph / Leave a comment

A Ph.D. is a big commitment, and there is no doubt that it is a big investment in your future career. Figuring out when to make this investment can be tricky, but there are a few factors to consider to find the right time for you.

For most people, their 20s are the perfect time to do a Ph.D. That is when your career is just beginning, you can take advantage of the opportunities that being a student provides, and you still have lots of energy and enthusiasm for the subject after several years of hard work. The problem, though, with youth is that they may not be adequately aware of the commitment a Ph.D. requires. One can argue that they are not mature enough to understand that they will need to work long hours to do well.

For other people, there are many benefits to starting a Ph.D. as late as in their 50s or 60s. You might have already achieved financial stability or professional goals, and carrying on with a Ph.D. may be something you want to do for yourself. On the other hand, it can be harder to do a Ph.D. as an older student because of a lack of time and energy.

Overall, the benefits and drawbacks of doing a Ph.D. at different ages depend on individual circumstances and goals. But your life stage will have a significant impact on your Ph.D experience and your career prospects. I think, overall, the right time to do a Ph.D. is when you have a stable life. If you are a single person, it is also important to make sure that you have enough time to devote to your research and still have the ability to have a social life.

You are welcome to contact me for more information and tips on what it is like to be a Ph.D. student, particularly in Sweden, but also worldwide.

Joseph Bugeja

Security, Privacy, and Trust