Corporate Security Standards, Best Practices, and Frameworks

February 17, 2022February 17, 2022 / bugejajoseph / Leave a comment

Effective information security management involves the use of standardized frameworks to guide decisions pertaining to security. All organizations have a responsibility to safeguard their information assets and reduce risk by using well-defined frameworks that are supported by corporate standards and best practices.

Over the years, many such standards, best practices, and frameworks have been developed for supporting information security managers. Along with ensuring that correct security controls are implemented, it is also important to be able to build and develop the business, IT, and security processes in a systematic and controlled manner. The security controls can be seen as the objects, and the processes are how these objects are used.

A simple depiction of the different security standards, best practices, and frameworks is shown below.

If you wish to learn about any of the above, please get in touch. You are also invited to suggest themes for me to write about.

Cyber Threat Maps

January 27, 2022 / bugejajoseph / Leave a comment

A cyber threat map, sometimes known as a cyber attack map, is a live map of current computer security attacks. These maps allow one to observe attacks as they pass through countries and continents. The majority of the cyber threat maps resemble video games, with colorful light beams indicating attacks from one region of the world to another.

Cyber threat maps can be highly useful in examining past attacks in terms of locations, volumes, and patterns. They can also help someone who is just starting out in their studies to acquire a sense of what is involved in the intricate world of cybersecurity. Last week, I had my introductory lecture on cyber security at Malmö University. I used cyber threat maps in my lecture to help raise awareness of how prevalent cyber security attacks are.

Here are three of my favorite cyber threat maps (listed in no particular order):

• Check Point ThreatCloud Live Cyber Threat Map

• FireEye Cyber Threat Map

• Kaspersky Cyberthreat Real-Time Map

If you want to learn more about the topic of attack detection and how cyber threat maps work, you are welcome to get in touch.

Where are we today with IoT Security Standards?

January 9, 2022January 1, 2022 / bugejajoseph / Leave a comment

IoT security standards are necessary because the IoT is fundamentally insecure. It is hard to predict whether or not an IoT device will be hacked, and even if it is, what data will be compromised. There must be defined criteria for security standards for this technology to evolve responsibly without introducing new problems. Here is a quick rundown of some of the most recent security standards.

In the United States, in December 2020, the IoT Cybersecurity Improvement Act of 2020 was signed into law. This is the first piece of IoT legislation in the US aimed at ensuring that federal agencies only buy IoT devices that adhere to strict security protocols. A new cybersecurity standard for consumer IoT (ETSI EN 303 645 V2.1.1) products was introduced in the European Union in June 2020. The purpose of this standard is to encourage better security practices and the use of security-by-design concepts in the creation of new connected consumer products. The Department of Culture, Media, and Sport in the United Kingdom announced new measures also in June 2020 to protect users of internet-connected household devices from cyberattacks. They implemented a product assurance scheme that requires certified IoT devices to bear an assurance label or kitemark indicating that they have completed independent testing or a thorough and accredited self-assessment process.

When it comes to the IoT, one of the most crucial considerations is security. As the IoT grows more intertwined in people’s lives, security standards are required to keep it safe from hostile attacks and prying eyes. There is so much that can be done to improve IoT security, and this is an opportunity for bright minds to get together and influence the IoT’s future.

Finally please remember that you are welcome to contact me and suggest themes for future posts.

The Internet of Things and Security

January 2, 2022December 27, 2021 / bugejajoseph / Leave a comment

The Internet of Things (IoT) is changing the way we live. The IoT is the idea of having devices that are connected to each other and can be controlled via the Internet. Cameras, refrigerators, alarm systems, televisions, and other electronic gadgets are examples of such devices. The IoT has contributed to giving people an improved quality of life.

But how can we put our trust in all of these IoT devices? How can we be sure they will not turn against us? How will we know whether or not the device we are utilizing is safe? All of these questions are key to unlocking growth in the IoT.

IoT devices can be both, physical and virtual in nature. They can have a variety of different functions, from being a simple remote control to being a complex system that monitors the environment, collects data, and sends it back for analysis.

Many people do not realize that their smart home devices may contain security vulnerabilities that hackers could exploit. Hackers can enter a smart home or even switch off the power by exploiting weaknesses in IoT devices such as connected door locks and lighting systems. For instance, over the course of one week, a study by the UK-based consumer group Which? discovered 2,435 malicious attempts to enter into devices with weak default usernames and passwords in a fake “smart home.”

Cybersecurity is a critical responsibility for organizations of all sizes, but manufacturers, in particular, must do more to ensure that IoT devices are secure from hackers and do not endanger consumer lives. Recently, in the UK, the Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced subjecting stricter cybersecurity rules for manufacturers, importers, and distributors of IoT technologies. This new legislation intends to better protect consumers’ IoT devices from hackers, as well as help the IoT market get the trust it needs to reach its full potential.

If you would like to learn about IoT security and how to safeguard your IoT devices, please get in touch.

My Lecture about the IoT and Data Privacy

December 16, 2021 / bugejajoseph / Leave a comment

We live in a world where even brushing our teeth can constitute the transmission of data to servers across the world. One day, we will sleep with smart pillows that will be able to detect our stress levels and send them to an app on our phone. We already wear fitness trackers all day, every day. What does this mean for our privacy? This is what I talked about during my 2-hour guest lecture at Malmö University on December 15.

The Internet of Things (IoT) is all around us, and with it comes an increased risk of privacy and security breaches. In the age of the IoT, we must be cautious about the information we make available to the public or share with shops and manufacturers. We must also consider how businesses may exploit personal data to discriminate against us or charge us extra since they have more knowledge about us thanks to these devices.

Please feel free to get in touch if you need any information about privacy, security, or related topics.

My FOSAD experience and Ph.D. security courses

December 8, 2021December 6, 2021 / bugejajoseph / Leave a comment

Going back to the summer of 2016, I had the opportunity to attend a summer school on information security. It was the International School on Foundations of Security Analysis and Design (FOSAD) held in the University Residential Center of Bertinoro, Italy. FOSAD is one of the best Ph.D. summer schools I have ever attended.

There were various outstanding and demanding presentations on a wide range of topics, including mathematical models, analysis tools, and Internet security, as well as formal verification of security protocol implementations, practical system security, and others. We also covered information security from a practical perspective as well.

Aside from education, we also enjoyed the Italian countryside, breathtaking views, exquisite food, and some local wine. I had the opportunity to meet and mingle with exceptional students from all around the world, as well as professors from renowned universities. This also helped me in the expansion of my academic network.

If you are a Ph.D. student or simply you want to delve deeper into the intricate world of information security, I recommend attending FOSAD, preferably in person. It is a challenging summer school, but it is one of the best schools I have ever attended.

Here is a group photo from that event.

FOSAD 2016 group photo (adapted from http://www.sti.uniurb.it)

More details about FOSAD can be found on their website: https://sites.google.com/uniurb.it/fosad

Finally, if you want to learn more about security-related Ph.D. courses organized in Sweden, I highly recommend that you visit the website: https://swits.hotell.kau.se/Courses/SWITS-PhD-courses-in-IT-security.htm

Also, please feel free to drop me an email or a tweet in case you want to know more about Ph.D. courses in general.

Life as a postdoc

December 5, 2021 / bugejajoseph / Leave a comment

What is a postdoc? A postdoctoral researcher (postdoc) is a scientist who receives advanced training in a certain domain by collaborating with a subject matter expert. It is a temporary position that bridges the gap between a Ph.D. and a career in academia. There is no other job like this. You get to choose what you want to accomplish and how you want to do it as a postdoc. You may work on new projects almost autonomously or design your research projects with the help of your mentors.

My work as a postdoc in computer science focuses mainly on cyber security and digital privacy. Most of my days are spent researching topics like machine learning and artificial intelligence, as well as how they may be utilised to automate security processes and privacy management on the Internet of Things. I examine solutions that have been developed to assist secure systems and user data against evolving threats. Some of the domains I am researching are related to smart buildings and smart homes.

Life as a postdoc can be challenging, but it is also full of opportunities. Aside from your research tasks, which will mostly revolve around publishing, you will be required to take on responsibilities that go beyond those of your Ph.D. You could be handling administrative tasks, including funding applications and working long hours in the lab, as well as lecturing and supervising Bachelor’s or Master’s students. Fortunately, I had the opportunity to complete the majority of the aforementioned activities throughout my Ph.D.

What else can I say? On a typical day, there is rarely a moment when I am bored or feel as if I do not have enough to do. You will likely find a large amount of freedom in what you choose to focus on. You do not need to think about whether you are using your time well because there is so much interesting work to be pursued! Of course, I am biased here because my postdoc themes are partly related to what I studied during my doctoral studies and on which I have industrial expertise.

If you want to learn more about postdoc life in Sweden, have questions about my research interests, or simply want to get in touch, you are welcome to email or tweet me.

The Ph.D. Thesis of the Year Award

October 19, 2021 / bugejajoseph / Leave a comment

I am incredibly honoured and humbled to receive the Ph.D. Thesis of the Year Award (Årets avhandling) in Computer Science from Malmö University in Sweden. This prize extremely acknowledges my 5+ years of research on the topic of threats and risks affecting IoT-based smart homes.

Ph.D. Thesis of the Year Award (Årets avhandling) in Computer Science (2021).

Learn more about the award by clicking here. Furthermore, you can access the presentation I delivered during that event by clicking here.

Lecture about IoT Security

September 28, 2021 / bugejajoseph / Leave a comment

On Tuesday, September 28th, I delivered an online lecture to Bachelor’s students at Lund University in Sweden. In the lecture I covered the topic of IoT security, especially in relation to consumer IoT systems.

One of the slides that I discussed in my lecture is shown below. Mirai malware is seen as a watershed moment in the threat landscape, demonstrating that IoT botnets can be deployed in distributed denial-of-service (DDoS) attacks and do substantial damage.

The equipment that was used to deliver the online lecture (September 2021).

Recognizing the significance of addressing IoT security, especially as more and more things become connected to the Internet, European Commission President Ursula von der Leyen unveiled a Cyber Resilience Act on September 15, 2021. This Act lays out a common European approach to cyber security by establishing common cybersecurity standards for connected devices.

If you have any queries about information security or would like to collaborate with me, please contact me.

Security Engineering and Machine Learning

June 25, 2021 / bugejajoseph / Leave a comment

This week I attended the 36th IFIP TC-11 International Information Security and Privacy Conference. The conference was organized by the Department of Informatics at the University of Oslo. During the first day of the conference, there was a keynote on Security Engineering by the celebrated security expert Prof. Dr. Ross Anderson.

He discussed the topic involving the interaction between security engineering and machine learning. He warned us about the things that can go wrong with machine learning systems, including some new attacks and defenses, such as the Taboo Trap, data ordering attacks, sponge attacks, and more.

Outline of Ross Anderson’s keynote (IFIP TC-11).

I especially enjoyed the part of his talk where he mentions the human to machine learning interaction. Coincidentally, this is a topic that I am researching. He discusses cases when robots incorporating machine learning components start mixing with humans, and then some tension and conflict, e.g., robots trying to deceive and bully humans, arises. This is a scenario that we should expect to see more in the future.

I highly recommend you to consider purchasing his brilliant book titled: “Security Engineering: A Guide to Building Dependable Distributed Systems”. This book is filled with actionable advice and latest research on how to design, implement, and test systems to withstand attacks. Certainly, this book has an extremely broad coverage of security in general and absolutely worth the purchase!

Joseph Bugeja

Security, Privacy, and Trust

security