Security Fundamentals: Individual Assignment
The convenience and accessibility of the Internet have
reshaped almost every aspect of our lives, like communication, work, leisure etc.
The increase in computing power has also enabled business to automate many
tasks to the extent that artificial intelligence can now make better decisions
than humans in many cases. Yet technology is still considered to be at its
early stages of development as technology becomes cheaper and more readily
available. According to the Visual Networking Forecast(VNI), the population of
Internet users will increase to over 4 billion people by 2020.
The increase in users means that more information is
exchanged between individuals, businesses, banks, communities, governments and
organizations, making the world more interconnected and interdependent
(Friedman, 2016). While the increased connectivity has its advantages, it also
poses a serious threat – information security. Security breaches and malware
attacks are increasing rapidly as cybercriminals attempt to steal and profit
from private and confidential data of individuals and organization. On 2017, 22
September, Singapore has surpassed nations including the US, Russia and China
as the country launching the most cyber-attacks globally, according to Check
Point Software Technologies. This report aims to look at a few security threats
and study their causes, nature and how to mitigate them.
Will Continue to be Sacrificed for Mobile Apps
The annual increase in mobile device users and the reliance
on mobile apps to carry out day-to-day activities also means users are spending
more time connected to the Internet and uploading more of their personal data.
This makes it attractive for attackers to exploit and steal confidential data
of the users.
2.0.1 Description of the Threat
developers profit from their apps through 2 methods; Charging a fee for their
app and selling sensitive user data. Almost 30% of the free apps that
smartphone users use, collect and sell user’s data to advertisers (Marble
Security, 2015). The data can in turn be stolen or purchased by cybercriminals,
hackers, belligerent governments and aggressive advertising companies to launch
highly targeted phishing and social media attacks. The more valuable
information can pose a threat to the users, their contacts, their employers and
any other companies and banks they conduct business with. This problem is
further exacerbated by the inadequate knowledge of users regarding their own data
protection and readily exchange information in return for app usage (Jevans,
2.0.2 Nature of the Threat
that engage in in-app transactions can have their banking information stolen
and be charged for other transactions that are unknown to them. In November
2017, several Uber users in Singapore have reported unauthorized transactions
from their bank accounts that were charged to overseas Uber rides in foreign
currency. The bookings charged from their cards were not made from their Uber
app, neither did they receive billing notifications via app or email. It
appears that their bank accounts were used on another person’s Uber app. Similar
reports were made earlier this year, and last year in Singapore, The Guardian
newspaper also reported several cases in London where Londoners got charged for
rides in Mexico and New York that they never booked (Darke, 2017).
2.0.3 Threat Mitigation
companies must ensure that user’s account and payment information are stored in
safely encrypted database when users enter it into their app. Encryption
transforms data into ciphertext, making it inaccessible to attackers. It will
be ideal if they used a 256-bit encryption which is one of the most secure
encryption methods. In a 256- bit encryption, hackers will have to test out 2256
different combinations to gain access, which is almost impossible to be breached even
by the fastest computers.
Multi-levels of passwords
should be used to protect databases storing customer information and passwords
must be changed frequently. In addition, companies should conduct frequent
background inspections on employees handling consumer data.
Consumer should also have
the responsibility of remaining vigilant in protecting their personal
information security and ensure that their own devices are not compromised because
of their own negligence. Consumer should also read through any terms and conditions
and find out how app companies will be using their data before agreeing to it.
As people’s reliance on phone apps increase,
the more data they will unknowingly upload to the Internet. No matter how
secure a company can protect its customer data, attackers are constantly
finding new ways to steal it. Leaving personal data to the hands of companies
can never be fully safe and consumers need to play a part in taking
responsibility of their own private data. The most efficient method for user is
to stay informed on how companies are using our data and limit information
exchange by considering if the exchange of data for app usage is worth it
before agreeing to it.
2.1 The Need for Improved Security on IoT
Devices Will Become More Pressing
Description of the Threat
An IoT device connects wirelessly to a network
and transmits and receives data over that wireless connection to carry out monitoring
or controlling functions. According to BI Intelligence, there will be
approximately 22.5 billion IoT devices by 2021. However, many of these smart
devices are not developed with the intent of Internet security. It is challenging
for manufacturers to develop a secure device that connects to the Internet, yet
is cheap and consumes little power. Many IoTs are operating without built-in
security and are unable to patch. The increasing number of devices coupled with
the lack of security present significant opportunities for attackers to exploit
(Perry, 2017). Some of the vulnerabilities of IoT includes:
– Weak passwords
– Lack of Encryption
– Internet exposure
2.1.2 Nature of
One threat faced by online users is a
Distributed Denial of Service (DDoS) attack which attempts to render an online
service unavailable by flooding it with so much traffic from multiple sources.
On 21 October 2016, a large-scale DDoS attack crashed the Dyn Domain Name
System (DNS) service demonstrating the loopholes of certain platforms to
attacks using the IoT.
The attack came in several
waves, denying access to Dyn’s major customers’ platforms like Twitter, Netflix
and Facebook for several hours. According to analysis by Flashpoint, one source
of the attack were devices infected by the Mirai botnet, which uses compromised
IoT devices – primarily digital video recorders and IP cameras manufactured by
XiongMai Technologies (York, 2016). Flashpoint’s researchers state the password
of such devices cannot be changed, since it is hardcoded into the firmware and
the absence of the tools required to disable the password makes it easy for
attackers to exploit.
Affected parties include
Internet users who were temporarily unable to access sites using Dyn’s managed
DNS service and companies who use Dyn’s DNS services. The biggest victim of the
attack was Dyn in which it lost more than 14,000 Internet domains that were
originally using its services immediately after that attack, according to
BitSight (Paul, 2017)
To prevent IoT devices from being infected,
always reset the default password when provisioning a new device and if unable
to do so, return the device if it is intended to be connected to the Internet.
Manufacturers should consider making default password change a compulsory
feature upon initial implementation of the device.
backdoors to ease the support process but backdoors expose consumers to
security breaches. A device with open telnet backdoor should not be allowed
into the network. IoT device scanners, like BullGuard can identify open telnet
backdoors by scanning an IoT search engine called Shodan to determine the
vulnerability of devices based on the IP address of the computer where one
initiates the scan.
IoT manufacturers must place
more emphasis in designing IoT devices with security in mind. It is important
to establish and test basic security features such as compartmentalization of
code and data, communication between trusted parties, data protection and user
authentication. Devices should have
the ability for regular security and firmware updates, feature locking, build
validation, software vetting etc.
As more devices can be connected to the
Internet, attacks on such devices will naturally increase. To effectively
defend against such attacks, both users and manufacturers must play a part in
staying vigilant regarding device security. User must be proactive in defending
its devices from attacks by changing the default password immediately after
initial deployment of device and always think twice if the device should be
connected to the Internet. Manufacturers must focus more on security features
and less on cost saving to protect the security of its devices and customers.