Network Security Biometrics

Introduction

This assignment is a major assignment in the area of network security. The goal is for each of you to focus on a particular part of network security to a greater depth than was examined in assignment one.

Assignment Specification

This assignment can be completed as an individual assignment, or in groups of 2. Once you have selected a topic, it is time to get busy. This is a research assignment, and it is longer than the written reports we have already completed. As such you are expected to read more content than you did in these to be able to demonstrate your understanding of your topic at deep level. Academic sources are expected, most of which would be peer-reviewed articles that have been published in Journals or Conferences.

This assignment is different to the written tasks in terms of how it is to be presented. This paper will be presented like a conference paper that is of a publication level in terms of its layout and style.

This assignment is to be 4000 words in length, plus or minus 10%, and not including the references or contents page.

Topic List

Choose one of the following:

  1. Discuss the computation that enables biometrics to be used for evidence of identity in a digital world and discuss the vulnerabilities and threats that may impede the successful use of biometrics for this purpose. 
  1. What is PKI? Discuss the challenges and benefits which face a company for in-house PKI vs Commercial PKI. 
  1. Government and Law enforcement have a history of attempting to put encryption work arounds, and back doors, into consumer devices and security infrastructure. Discuss the successfulness and security ramifications on consumers of suchpolicy. 
  1. Compare and contrast, in depth, the security requirements in control system networks (such as SCADA) to more typical general purposenetworks. 
  1. IoT devices are increasingly common. Describe the security implications of the proliferation of such devices.

Solution 

Tittle:IoT devices are increasingly common. Describe the security implications of the                    proliferation of such devices.

Abstract

The Internet of Things involves extreme networking and synchronized communication of IoT devices via an internet infrastructure. It is a real world face of the internet age evolution that allows new services and functionalities to be developed and deployed to given consumers with a main purpose of ubiquitous data collection, tracking, health monitoring and entertainment.

Usually IoT application involves generation and processing of loads of data with an aim of analyzing it so has to generate important and meaningful information that will provide ground for efficient service provision or environment supervision.

As much as it has attracted popularity among users, a major drawback in the application of IoT is the number of key challenges its realization comes with. The challenges usually occur in privacy and security areas, caused as a result of heterogeneity of the devices connected to form an Internet of Things network of a communicating group of devices and also differences in networking capacity of each IoT device. There has been new threats and challenges towards use of IoT devices e.g. cyber stalking, phishing, spamming and hacking.

This paper discusses the security and privacy concerns generated by use of IoT devices and there implications. It also briefly gives ways of managing and preventing such security and privacy issues.

Keywords

Privacy, Legislation, Internet of Things, Threats

Introduction

The Internet of Things (IoT) has attracted many users from individuals, household users to full-fledged organizations because of its inherent ability to change routine personal lives and way of doing business. Its social and economic impact is likened to the revolution the internet brought upon people across the globe.

IoT has many definitions but most of them are centralized on how various internet enabled devices it be wrist watches, bracelets, fridges or heart beat rate taker are connected to each other and in constant communication and exchange of information ubiquitously [1]. IoT involves devices and sensors connected and exchanging data with other machines, objects and environments. Gartner gave a prediction that by 2020 22 billion devices would be connected across the globe [2]. The following graph shows the projection of IoT growth into the future:

Source: Gartner; IBM; smart building facility manager Survey in building operating Management Jan 2015.

Since it is a new idea in the technological world, most Internet of Things technologies are in there infancy stage of development while other have been introduced into the market and have gained popularity very fast. The most notable examples are:

  • Sensing gadgets to improve day to day lives and keep check on health changes
  • Smart systems
  • Consumer needs anticipatory gadgets[3]

The IoT gadgets usually autonomously use software running separately on a network to proactively generate crucial data patterns, provide recommendations to end users that will improve/ monitor their health, environment, finances and ways of living. As much as IoT makes use of the internet it’s good for people to know the thin line separating it from normal internet use. The table below illustrates the differences:

The rise of IoT has a provided an opportunity for significant innovation that can range from smart household systems to smart cities. But a major concern that has impacted negatively on this technological development is general security threats and privacy concerns that involve consumers of IoT products as the number and variety of interconnected devises increases every day.

IoT devices are deemed to be more intertwined with our day to day lives in the near future than our cellphones. The devices will access to sensitive personal information. The major problem that will arise from the interconnection of this devices would be security risk where one security breach on a single IoT device will result to more than 50 such breaches [4].

The physically limited size and reduced processor capabilities of many IoT devices restricts application of encryption and security measures.[4]

In this paper we are going to discuss the security implications of the proliferation of IoT devices and how they have impacted the introduction of IoT devices into the world of consumers.

Security implications of the use of IoT devices can be divided into:

  • Security risks
  • Privacy risks

There are a number of security issues that arise from connection of many devices in such a way that they send and receive information among them autonomously. These security risks can cause the following to IoT solution users:

Allowing unauthorized access and inappropriate use of personal data.

  • Facilitation of cybercrimes on the rest of the system infrastructure
  • Causing individual physical insecurity.

These privacy issues may range from personal data, behavior, place of residence and physical conditions over time that may be used to advantage by corporate organizations or service lenders to the disadvantage of the consumer and also usage by cyber criminals. The diagram below shows common challenges facing IoT application.

Security Risks

Vulnerability to Hacking: White-hat gained access to IoT devices supplied to consumers when they were given sufficient time coupled with enough man power. This implies that hackers are most likely to breach the security of the devices also. A good scenario can be drawn from the breaching scientists of Microsoft Corporation and university of Michigan did on IoT devices which exposed Security gaps in Samsung’s SmartThings smart home platform. The process of attack was trivial. [5].

If the IoT is ever going to truly shake the tech world, vulnerability to hacking security issue needs to be number one on the list of issues of great concern for tech devices manufacturers which they need to consider. A high level of concern, will scare away probable consumers of IoT devices and may not be quick to purchase connected devices [5]. The following diagram illustrates how an IoT system breach can affect the whole system:

Source: Joe Hanson: The 10 challenges of securing IoT communications; 4 , May 2015.

Security weaknesses: A number of IoT devices are delivered by manufactures already having software that has not been upgraded or that will need upgrading over time. Others may be delivered somehow up to date, but weakness can be realized over time. Such systems are a threat to themselves due to low security levels hence making them easily attacked.

Unsecure Connections: A number of security policies created for normal computing are complex to enact on IoT solutions therefore many security gaps have been discovered including unsecure communications and information leaks. [5].

  • Unauthenticated Communications: A number of IoT devices are enabled with direct updating functionalities, verification and encryption, this method is insecure because it can be altered by intruders or can be disabled. Also, a number of IoT gadgets never apply identification in the process of exchanging information.

Clear text data exchange: Most IoT devices exchange some or all data in clear-text, of a ciphered secure mode. Such information exchange is easily intruded and seen over the network. An absence of transit encryption makes many gadgets fail that level of security while using the internet which is a great security risk [1].

Lack of Mutual Authentication and Authorization: When an unauthorized person gains acces to data or code of an IoT device the device is deemed unsecured. This device can show the presence or absence of its user and may allow installation and execution of malware making its IoT functions corrupted [5].

Lack of Network Isolation:  IoT devices can have their home systems intruded. Since household computerized systems are not enabled to directly pick various parts of the network that maybe providing unauthorized access, a breach of one home IoT device exposes the rest it is interconnected with in the home network [5].

Susceptibility to Malware Infection and Other intrusion: Viruses and other modes of intrusion could adversely affect interconnected devices functionality, gaining illegal access or executing attacks. Possibility of denial of service or session termination not only reduces the functionality of the IoT devices, but also they downgrade their security

IoT device security issues are likely to be continually this is due to the lack of provision of software updates by the manufacturer or any other responsible party and by consumers failing to apply various software patches available from the manufacturers. Provision of software upgrades which strengthen crucial security gaps is problematic in the long term perspective.

Several gadget vendors and manufacturers have minimal or lack platforms to avail their software updates to several devices by them. Also, most household consumers over the network updates deployment are difficult and many a times if done improperly the process may have negative effect on the gadget. Other devices are also made in such a way that there is no room for future updates [5].

Privacy Risks

Nowadays, it is getting more difficult for users to retain their privacy, as the Internet of Things technologies take over our daily lives. Conflicts on which way organizations are to access private information are pervasively contributed by use of IoT.

Ziegeldorf’s literature review [8] enumerates the most common privacy threats in the Internet of Things:

  • Unsecure identity verification is the common risk which connects a user with his/her actual entity;

2)  Geographical location tracking via different available means e.g. internet traffic, smartphone locating mechanism or satellite imagery

3) Profile stalking mostly used by private ecommerce ventures e.g. spamming, promotional ads etc. Private organizations gather information on peoples’ personal profiles so as to mine information of people which is contained in other sources they own and finally use the information to their financial/economical advantage without permission from affected owners of the information.

4) Interaction and presentation refers to the number of smart things and new ways of interacting with systems and presenting feedback to users. This becomes a threat to privacy when private data is exchanged between the system and the users;

5) During a lifespan of a smart device a lot of data is generated that concerns the user of the device. When a smart device “dies” mostly it is disposed off with the owners non- the wiser that it still houses some data gained during its use. This is a bad assumption since most devices can still retain history of their use if not properly destroyed and when a potential attacker gets possession of it he/she may recover the data still contained by the dead device and use it later on maliciously.

6) Inventory attacks targeting weak points of illegal access of collected data. Internet hackers normally store personal information of other people they have illegally accessed for some time then use it later when a situation arises to attack a particular internet user.

7) Systems linking exposure- Linking different systems creates a big chance of unauthorized access attacks to be successful since different systems will contain different levels of security hence leading to leakage of personal data. This can happen if a security vulnerability in another system is exploited hence providing access to different system it is linked with [9]

Data Leaks: Many networked computerized devices may disseminate the owners information, both from the cloud service and from within individual IoT gadgets. This data intentionally transferred from the cloud to unauthorized users happens to exist as a result of a direct attack on the cloud service platform or an attack from within the home IoT devices network.

Alternatively, when IoT device owners operate on devices with insecure authentication or encryption infrastructure is weak, personal information may get compromised. The leaks across devices in IoT solution network can communicate with each other and a device on the network can be used to spy on information generated or transmitted by the other devices.

Also another privacy issue is the large amounts of data produced by interconnected IoT solutions gadgets. This vast amounts of data results to formation of many and easier entry gaps for cyber attackers and exposes crucial personal data to hackers who can use all pervasive means to gain access to it and use it to an owner’s disadvantage

Another privacy issue is profiling: Companies e.g. insurance providing organizations can use data generated by IoT devices e.g. driving patterns gained from hacked Car electronic transmission systems to calculate one’s insurance rate.

Privacy protecting Solutions in order to address the privacy issues generated by IoT device consumers and IoT solutions vendors, a number of mechanisms has been postulated by the research community:

  • Cryptographic techniques and information manipulation:

Cryptography is the most dominant and current solutions towards curbing privacy of user data in IoT device environment use, although many sensors used in IoT devices cannot provide enough security protocols as a result of limited storage and data processing resources.

  • Privacy infringement reporting/signaling applications:

The only available breakthrough in privacy awareness has been mainly centralized around use of apps software which provide a basic privacy awareness to its user e.g. smart fitness devices, health monitoring systems etc. which can collect personal data from their users. A good instance is the recent study framework called SeCoMan suggested to act like a third party trustee for information owners as software apps cannot be fully relied upon in storing securely the data they process. [8].

  • Access control:

Access control is one of the most conclusive solutions to be used in addition to encryption and privacy awareness. This gives IoT device users the power to manage their own data. An example of this approach is DCapBAC (Distributed Capability- Based Access Control) , proposed by Skarmeta, Hernandez, and Moreno, the approach was suggested as an attainable access control approach that supports life cycle of smart devices associated with stringent security issues. [10]. It is basically a distributed approach in which smart things themselves are attributed with the ability to  process crucial decision making tasks.

  • Data minimization:

The underlying concern of data minimization is that IoT services providers must reduce the amount of information collected from individual users of IoT devices to only what is needed in IoT device use sessions. Also the information gained should only be retained as long as its relevant in its purposes after which it has to be removed from services provided by IoT devices and discarded [8].

IoT security Design Rules

The following security design rules must be considered in developing IoT devices. [6]

  • Build security in, it cannot be added later:

Security must be incorporated in the core structure of IoT systems, inclusive of robust authentication checks, data security, and all encryption processes that may be crucial to the function of the IoT system(Vacca,2007).. Better bug free codes used at the application level developed by software development companies/ manufacturers ought to be resilient, secure and stable. Also since IoT systems involve interacting with many devices across the same interconnected network, interoperability of devices should be guaranteed by manufacturers. A week bottom-top structure results to creation of a vulnerable system and with addition of many IoT devices to the network the more it gets exposed to potential threats.

  • Keep security mechanisms simple:

Since most smart devices have reduced storage capacities and data processing resources, it is advisable for security mechanisms implementers to keep them simple to avoid the effect of degradation in performance of the smart device.

  • Use existing standards

The use of existing standards enables many manufactures of smart devices to develop smart devices cheaply with the already existing security standards making the smart devices cheaply available and enable interoperability across various technological platforms/ computation environments

  • Encrypt sensitive data at rest and in transit

Data on transit can be protected through encryption by use of strong PKIs (Public Key Infrastructure) system. This will help prevent threats like eavesdropping, tracking and profiling. Data at rest can be secured by encrypting whole storage volumes e.g. hard disks/drives. This encryption process can be done before writing data to the storage medium (Vacca,2007). Modern encryption systems are closely integrated with the operating system that the extra role of encrypting and decrypting the data usually does not lead to noticeable reduction in performance.

Also setting of file privileges will help secure data at rest. Restrictions can be made in such a way that they limit what each authorized user is permitted to perform an each file or folder. Setting of privileges works hand-in-hand with data-at-rest encryption

  • Use well-studied cryptographic building blocks

Well-studied cryptographic building blocks are popularly known to be conclusively tested and they do offer wide range of support services. If one uses them then the end device will be more secured and resilient to existing security threats

  • Identify and access management must be part of the design

Diversity of the devices and networks used in IoT causes several networks and      information from different contexts and origins be aggregated. Each service and      network providers have different control policies and authentication procedures.        While developing and enacting access policies device resources needs should be     considered. Location and enforcement sections have to be the leading issues that    need consideration in developing a good accessioning policy.

  • Develop a realistic threat model

Keeping  a real approach in line with the actual day to day internet use threats analysis during device security designing, helps foreshadow probable adverse conditions of security the device may be subjected to during use hence helps manufacturers to designing more secure and threat resilient devices

  • Legislation 

A satisfactorily legal framework should have the details of each bill ought to include the   fundamental rights to information, should also have sections blocking the application of           internet of things mechanisms in given situations and laws on the right to a secure use of     IT combined with bills enforcing the use of various techniques, of IoT devices and creation    of a think tank that will do research on the legal aspects of IoT solutions. [7].

Ways of reducing/controlling security and privacy concerns in IoT

IoT products are made secure if only security mechanisms are embedded early in the development life cycle of these devices. Every building block of IoT solutions should also undergo a security review to detect vulnerabilities. The following diagram shows the IoT cyber threat landscape:

The following methods have been recommended in neutralizing security risks encountered in the use of IoT devices:

  • Base device platform analysis— vulnerable platform configuration might lead to compromises such as privilege escalation. A base device platform operating system and its security measures, configurations and specifications must be checked against the base-lined information security needs. Verification needs to be done to ensure that any test interfaces are removed from the hardware.
  • Network traffic verification— Network traffic (wired or wireless) should be analyzed for any unencrypted or modifiable data. There is a thin line of conflict between performance and security when encryption is recommended. Lightweight encryption algorithms can be used to cater to performance requirements.
  • Scrutiny of basic functionality requirements—Highest level security specifications must be assessed. They ought to undergo aggressive anti-attack testing e.g. (subversion or fuzzing).IoT solutions can use Software as a Service (SaaS)-based identity management solutions for authorization and authentication needs.
  • Trust boundary inspection and fault injection— all trust boundaries across the signal path should be reviewed and subject to fault injection using negative test cases. The trust boundaries can be verified using manual penetration techniques. Periodic penetration testing is recommended.
  • Side channel attack defense verification— if side channel defenses are implemented, either in software or hardware, they must undergo verification which is augmented with penetration/injection test processes. Continuous penetration testing helps to mitigate advanced persistent threats (APTs) launched against the use of IoT devices.
  • Secured code development practices- early secure code reviews help provide advance mitigation techniques. Crucial and easily affected arrears of smart devices operating systems e.g. booting processes, embedded internet firewalls and encrypting mechanisms must all undergo/ be developed under secured code development practices. The cost of fixing a security defect is greatly reduced when the security vulnerability is discovered during the development cycle.
  • End-to-end penetration test—End-to-end penetration tests must be always applied throughout the communication channel so as to pinpoint any security weakness in the network, mobile and cloud interfaces of the IoT solutions. This testing procedure appraise the security state of the IoT networked Segments.

Conclusion

Introducing security in the early stages of IoT solution systems will help reduce privacy and security problems encountered with the use of IoT devices. This will only be achieved by following to the letter best software/systems development practices which include thoroughly tested applications (apps) development practices, constant upgrading and patching sessions done after a full application software security analysis.

The IoT business gives us a very enticing and exciting future on how our way of life will change and the revolution it will bring in corporate average productivity per given unit of input. As much as IoT seems to offer great business opportunities the security and privacy implications faced when applying IoT in our lives should be taken seriously by this manufacturers. The wide distribution of intelligent remotely connected devices will give us several crucial and needed service extensions in securing our homes, improving our transportation practices, checking the health status of our physiological systems and setting up a platform for a brand new environment of application software innovation practices. One important thing all users should know is that security and privacy of their information starts with them.

Users should take time and go over their IoT devices’ security features to ascertain their level of vulnerability. Constant security updates should be carried out and users should provide less and less personal information as much as possible to IoT devices’ apps. This will help improve their security and privacy during the application of IoT solution.

To make this industry push towards maturity from its current infancy stages a unanimous agreement on security enactment on IoT devices must be arrived at to save the industry from probable stagnation or abandonment. The constantly changing way of life of consumers and rapid advancement of technology must be embraced by IoT devices manufacturers for the benefit of the consumers and corporate IoT investment ventures which will aid the industry attain a premier roll in the tech world

Recommendation

IoT devices should enact best security and cryptographic practices and smart devices developers should make sure that any device manufactured for the consumer market has security features across its internet communication layers.

Also encryption used in this devices should be Lightweight cryptography or its equivalent so has to maintain high smart devices performance with little strain on the devices’ computation performance and power utilization.

The devices should have reduced exclusive dependencies on network security features e.g. the firewalls in monitoring information exchange since not all information proliferated devices can pass through the firewall before reaching the intended destination devices due to the unique communication architecture of the IoT devices.

References

  1. Sivarama Subramanian, CISM, Varadarajan Vellore Cropal, CEH and Marimuthu Muthusamy. Security privacy challenges of IoT-enabled solution

https://www.isaca.org/journal/archives/2015/volume-4/pages/security and privacy challenges_of_iot_enabled_solutions.aspx

  1. Gartener, “ Gartner says the Internet of Things Installed Base Will grow to 26 billion units by 2020,” Newsroom, 12 December 2013,

www.gartener.com/ newsroom/id/2636073

  1. Broadband internet Technical Advisory Group

General security and privacy threats that involve consumers as the number and variety of devices proliferate rises daily

Htps://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_security_and_privacy_Recommendation.pdf November 2016

  1. Ahmed Banafe. Datafloq B.S.[NL] Internet of Things (IoT): Security, privacy and safety.

https://datafloq.com/rea/internet_of_things_iot.security_privacy_safety1948

  1. Andrew Meola. How the internet of things will affect security and privacy. December 19, 2016.

www.businessinsider.com/internet_of_things_security_privacy2016-8?IR=T

  1. Victor Ake security in the internet of things
  2. Rolf H. Weber Internet of Things- New security and privacy challenges. Computer Law and security Review volume 26, issue 1 January 2010
  3. H Zigieldorf, O.G. Morchon and K. Wehrle. Privacy in the internet of Things threats and challenges. Security and communication Networks. 7(12):2728-2742, 2014.
  4. Noula Aleisa and Karen Renaud. Privacy of the Internet of Things: A Systematic Literature Review (Extended Discussion)

https://arsix.org/ftp/arxir/papers/1611/1611.03340.pdf

  1. Vacca, J. R. (2007).Practical Internet security. New York, NY: Springer.
  2. Garfinkel, S., Spafford, G., & Schwartz, A. (2003).Practical UNIX and Internet security. Beijing: O’Reilly.
  3. Bernstein, T. (1996).Internet security for business. New York: Wiley.
  4. Speed, T., & Ellis, J. (2003).Internet security: A jumpstart for systems administrators and IT managers. Amsterdam: Digital Press.