IT Risks in Gigantic Corporation

Billions of physical devices are connected to the internet (Radomirovic, 2010). These devices are collecting and sharing by using internet of Things, or IoT. Anything can be turned into a part of the IoT with the help of processors and wireless networks. IoT adds digital intelligence to devices that makes them to communicate without the help of a human being, and hence made possible to merge the digital and physical worlds (PurpleSyntax, 2018). Everyday objects can be made ‘smart’ by adding sensors and communication interfaces to them. Here the word ‘smart’ means the objects are able to communicate required information of their surroundings (Sklavos & Zaharakis, 2016)

Gigantic Corporation is an information and technology organization. It manufactures variety of software’s and hardware’s that facilitates its users many telecommunication services. Organization is facing various IT risks like security threats, data breach and other cyber-crimes (Carr, 2016).

Gigantic Corporation is an IT organization and I work here as an IT Risk Assessment lead consultant. The main roles of an IT risk consultant are to develop risk policies for the company, assist in risk analysis, developing risk management practices, to maintain threats to the information security and improve security systems so that users can secure their private information.

There are various information technologies used by Gigantic Corporation, for example, the Internet of thing, wireless networks, cloud computing, network protocols, and information technologies (Chakhchoukh, & Ishii, 2015). By using all these technologies, gigantic corporation is providing communication services to many companies and consumers.

As the use of electronic data processing is increasing in gigantic organization, securing information and privacy of IoT has become major issue today (T.K & Jebakumar, 2018). Westin defined information privacy in 1968 as “the right to select what personal information about me is known to what people”. This report will cover threats and risk to Internet of Things or IoT in the gigantic organization and how the organization adopt different methods to reduce IoT risk for the gigantic organization. This organization can ensure IoT security with four corner stones and these are Protecting Communications, Protecting Devices, Managing Devices and Understanding your System (Symantec, 2016). Privacy of the organization’s confidential data can also be assured by cryptography, awareness of privacy risks, control over the collection and processing of the information by individual and by data minimization (Aleisa & Renaud, 2016).

IoT regarding technologies and features are evolving very fast and also the ways of interaction with the IoT are evolving. Some of the risks of IoT include extended downtime, physical harm to people, and equipment damages such of pipelines, power generation facilities and blast furnaces (Beta.complyscore, 2016). IoT and these kinds of facilities have been attacked several times and materially damaged. Hence security has become the most important need for the one who is making and functioning IoT devices and systems (Symantec, 2016). Some of the security requirements on IoT are (Deogirikar & Vidhate, 2017):

• Authentication: Authentication means ‘verification’, routing peers need to be mutually verified before sharing route information and the origin of the shared data is accurate. IoT require strong and highly automated authentication (Abomhara & Køien, 2014).
• Access Control: To prevent the use of unauthorized node is known as access control it means it ensures that the nodes are not compromised. (Abomhara & Køien, 2014).
• Confidentiality: When information is shared over a medium which is accessible publicly such as air for wireless transmission, it needs to be protected. Confidentiality ensures the protection of information. (Abdmeziem, 2016)
• Integrity: It ensures that not of any kind of unauthorized modification occurs and protection of data. (Abdul-Ghani et al., 2018).
• Availability: It makes information available when it is required, specific to IoT (Husamuddin & Qayyum, 2017).

Evolution in IoT technologies and its features leads several privacy threats and challenges (Alsaadi & Tubaishat, 2015). Classification of these threats can be understood from our reference model where these are most likely to appear.

IT Risk Assessment Lead Consultant Role

Figure: Threats in the Reference Model

(Source: Ziegeldorf, Morchon, & Wehrle, 2013)

From the reference model it is seen there are seven threat categories:

• Identification
• Localization and Tracking
• Profiling
• Privacy-violating interaction and presentation
• Lifecycle Transitions
• Inventory Attack
• Linkage

Association of an identifier denotes the Identification threat, e.g. association of a name and address with an individual. Association of a particular identity to a particular privacy breaching context defines a threat, and in addition it leads to several other threats also, e.g. combination of different data sources or profiling and tracking (Ziegeldorf, Morchon, & Wehrle, 2013). Gigantic Corporation facing identification threat, as large number of gigantic employee’s identity is associated with other co-workers. Backend services of our reference model concentrate the large amount of information and the information processing phase has the most chances of threat of identification.

It is a kind of threat which determines and records the location of a person through time and space. Gigantic company has threat of localisation and tracking as the hackers track the information about location of the company’s important meetings and thus services can be targeted in specific location and particular time (Kozlov, Veijalainen, & Ali, 2012). To track ones location it requires binding identification of some kind to continuous localization of individual (Aleisa & Renaud, 2016). There are different means of tracking today, e.g. GPS, internet traffic or mobile phone location. There are many threats identified related to this threat which leads to privacy violation, e.g. GPS stalking (Ziegeldorf, Morchon, & Wehrle, 2013). Localisation and tracking threats mainly occur in the phase of information processing, where location of the subject is traced without his concern.

Profiling refers the threat of collecting information of individual in order to conclude interests by correlation with other data and profiles. Gigantic company is facing profiling issues as the employees can be targeted specifically. In e-commerce profiling method is mostly used for personalization. Profiling is also used for internal optimization depending on interest of customer and demographics (Ziegeldorf, Morchon, & Wehrle, 2013). Examples of profiling which leads to privacy violation are unsolicited advertisements, price discrimination, erroneous automatic decisions and social engineering. Profiling threats mainly occurs in the dissemination phase.

This threat refers that personal information is conveyed through a common medium and during this process information is disclosed to the unwelcomed audience. IoT applications like transportation, healthcare and smart retail needs interaction with user. Smart things like speakers, advanced lighting installations and video screens are used to provide information to the users. Users control these smart things by new intuitive ways like by touching, moving and speaking to smart things (Ziegeldorf, Morchon, & Wehrle, 2013). These interaction mechanisms are public; hence gigantic company’s information and private data is on threat, anyone in the vicinity can observe them. Hence when personal information is exchanged between the user and the system, this becomes a threat to the privacy (Aleisa & Renaud, 2016).

During changes of control spheres in lifecycle of smart things privacy is threatened as it discloses private information. Stored information and collected data in smart things are main reason behind privacy violation from lifecycle transitions (Aleisa & Renaud, 2016). Lifecycle threat is mainly related to the information collection phase of the reference model. Gigantic company devices are sold and disposed of when they became out of use. It is assumed that all the data is deleted but devices store a lot of information of their history throughout their entire lifecycle.

Information Technologies Used by Gigantic Corporation

Unauthorized collection of information of personal things and data is known as Inventory attack (Aleisa & Renaud, 2016). Hackers use inventory data to access Gigantic Company’s confidential data and safe time to break in.

This threat comes when previously separated different systems are linked. It gets to know from combination of data sources that the subject was not disclosed to the previously isolated sources. When data collected from different sources under different circumstances and permissions is combined users fear inferior judgement and loss of context (Weber, 2010).

In order to preserve privacy within the organization and security of end-users and service providers, As an IT consultant I suggest, Gigantic Corporation should incorporate these privacy policies to provide better security and to protect the company from various above mentioned threats. Below is the list of privacy preserving solutions (Aleisa & Renaud, 2016):

1. Cryptography techniques: Of all the privacy preserving schemes cryptography is still the most dominant privacy solutions. Cryptographic techniques are based on encryption algorithms. Advanced Encryption Standards (AES) is used to ensure the confidentiality.
2. Privacy awareness or context awareness: In order to make its employees aware of the privacy of IoT, Gigantic Company should focus on individual applications which provide its users about the basic privacy of smart devices. A trusted third party should be proposed for the users, so that the applications will no longer dependable on the location information (Rachid, Challal & Nadjia, 2015).
3. Access Control: Access control allows its users to manage their data by own. After encryption and privacy awareness, access control is one of the feasible solutions. CapBAC (Skarmeta, Hernandez-Ramos, & Moreno, 2014) is one approach for access control. In this approach smart thing itself make authorization decisions.
4. Data minimization: Gigantic organization should apply data minimization principle to reduce security threats. Data minimization makes the IoT service providers to limit on the collection of the personal information that is relevant directly. Data is retained as long as it is necessary to fulfil the requirements.

Apart from above mentioned solutions, there are other solutions also. These are mentioned below:

1. Hitchhiking: It is a new approach that ensures the anonymity of users who gives their location. Location is considered as the entity of interest and not the user because the information of person who is at particular location is unnecessary (Aleisa & Renaud, 2016).
2. Introspection: It protects the personal information of the user by analysing the activities of the VM. CPU state of very VM is analysed here. It also detects the malicious software on the VM, and if due to any malicious attack, IoT device loses its integrity, it creates risks for the privacy of the user (Aleisa & Renaud, 2016).

IoT systems are highly complex and requires end-to-end security that covers both cloud and connectivity layers. There is need of strong security solutions otherwise attackers simply use weakest link to exploit the security walls of the organization. Gigantic corporation systems drive and handle data from IoT systems. There is need of additional and unique security solutions for IoT systems. Security for IoT systems can be covered with four important cornerstones. By combining these four security cornerstones, robust and easy-to-deploy security architectures can be formed. This security architecture will help in lessen majority of security threats to the Internet of Things (Symantec, 2016).

As mentioned there are four major security constraints:

There are three fundamental terms that define a meaningful security: Encryption, Authentication and Key-management. Key management techniques used by gigantic corporation for IoT are still not safe. A “trust model” is available to protect billions of transactions. This “trust model” helps in authenticating systems of other companies by their systems and this starts a communication that is encrypted, with those systems (Banerjee, Dong, Taghizadeh, & Biswas, 2014). Accepting a data that is not verified can be dangerous to the company. This kind of data can corrupt the device, and some malicious party would get control of the device. Therefore a strong authentication is needed to restrict such threats. Elliptic Curve Cryptography is ten times faster and more efficient than traditional encryption process and does not compromise on security of IoT (Symantec, 2016).

Each device boots and runs some kind of code whenever it is powered up. Here it is necessary to ensure that device do whatever programmed to do that. Therefore, to protect a device it is the first step to make sure the device boots and runs a code that we want it running. OpenSSL libraries are available to check the signatures of the code, and accepts code only if it comes from an authorized source. To ensure that the code is not tampered after being signed, code signing cryptographically is used, and this is done at the application and firmware levels. To protect the devices there are some rules of accepting data and these are, “never trust unsigned code”, “never trust unsigned data” and “do not ever trust unsigned configuration data” (Symantec, 2016). For gigantic corporation the main challenge is ‘managing the keys’ and ‘controlling access to the keys’.

IoT Threats and Risks in Gigantic Corporation

To manage software and firmware inventories on each device as well as for device configuration, there are strong standards for that. It requires managing configuration of host-based security technologies for managing security for each device. OTA updates of security content are needed for some security technologies. On the other hand, some security technologies depend only on policy based mechanisms. Policy based security technologies need updates only when the software is re-imaged on a device for purposes like adding functionality. On each device security components are not the alone components that needs be managed securely and safely. Data generated by sensors of most of the devices is needed to be collected and transmitted safely and securely for storage at a safe and secure place. To manage devices, IoT systems are provided with update capabilities built into them from the starting. Chances of threats and vulnerabilities increases if the devices are not provided with OTA updates built into them (Symantec, 2016).

Today, most of the IoT technologies and systems are considered as “intranets of things.” A device should be trusted or not depend on “Directory of Things.”  This directory tracks security information of each device and IoT system. It also helps in managing permissions that devices and systems grant each other. These directories also helps in the discovery of devices as more and more IoT device are increasing. Because of these directories it have become possible to find the remote devices quickly. Details of the devices along with its capabilities and reputation are listed in this directory (Symantec, 2016).

Conclusion

As discussed above, IoT is connecting billions of devices to the internet which collects and shares data. It has become possible to communicate with the help of IoT without any human being. But as we said above there are various threats to Internet of Things. Digital devices used in the gigantic corporation are also connected with internet of things and these are also prone to various attacks and threats. Security systems used in the organization are not enough to secure the devices from these attacks. Privacy is also important while communicating with IoT. Several of privacy threats, security issues are discussed above (Ziegeldorf, Morchon, & Wehrle, 2013). This report elaborates a simple and effective architecture for IoT security and privacy threats and also discussed about privacy preserving policies for IoT needed in gigantic company.

• The architecture ensures that all code is signed cryptographically, authorized and restricts the unsigned code to run.
• The architecture uses authentication and encryption processes to protect the communication. More than a billion IoT devices are protected using trust models, but with introduction of newer ECC algorithms increased the security level in resource constrained IoT devices.
• Further malicious data can be reduced through host-based protection and all security threats through security analytics.
• The architecture describes an effective, safe and secure dynamic management of the system to diminish threats further.

References

Abdmeziem, M. M. R. (2016). Data confidentiality in the internet of things (Doctoral dissertation, Université des Sciences et de la Technologie Houari Boumediène).

Abdul-Ghani, H. A., Konstantas, D., & Mahyoub, M. (2018). A Comprehensive IoT Attacks Survey based on a Building-blocked Reference Model. International Journal of Advanced Computer Science and Applications, 9(3), 355-373.

Abomhara, M., & Køien, G. M. (2014, May). Security and privacy in the Internet of Things: Current status and open issues. In Privacy and Security in Mobile Systems (PRISMS), 2014 International Conference on (pp. 1-8). IEEE.

Aleisa, N., & Renaud, K. (2016). Privacy of the Internet of Things: A Systematic Literature Review (Extended Discussion). arXiv preprint arXiv:1611.03340.

Alsaadi, E., & Tubaishat, A. (2015). Internet of Things: Features, Challenges, and Vulnerabilities. International Journal of Advanced Computer Science and Information Technology, 4(1), 1-13.

Banerjee, D., Dong, B., Taghizadeh, M., & Biswas, S. (2014). Privacy-preserving channel access for internet of things. IEEE internet of things journal, 1(5), 430-445.

Beta.complyscore, (2016). Art of IoT Security. Retrieved from: https://beta.complyscore.com/wp-content/uploads/2016/03/IOT_Workshop_Flyer.pdf

Deogirikar, J., & Vidhate, A. (2017, February). Security attacks in IoT: a survey. In I-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC), 2017 International Conference on (pp. 32-37). IEEE.

Husamuddin, M., & Qayyum, M. (2017, March). Internet of Things: A study on security and privacy threats. In Anti-Cyber Crimes (ICACC), 2017 2nd International Conference on (pp. 93-97). IEEE.

Kozlov, D., Veijalainen, J., & Ali, Y. (2012, February). Security and privacy threats in IoT architectures. In Proceedings of the 7th International Conference on Body Area Networks (pp. 256-262). ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering).

PurpleSyntax, (2018). The Beginners Guide to The Internet of Things. Retrieved from: https://www.purplesyntax.com/blog/The_Beginners_Guide_to

Rachid, S., Challal, Y., & Nadjia, B. (2015, November). Internet of things context-aware privacy architecture. In Computer Systems and Applications (AICCSA), 2015 IEEE/ACS 12th International Conference of (pp. 1-2). IEEE.

Radomirovic, S. (2010, December). Towards a Model for Security and Privacy in the Internet of Things. In Proc. First Int’l Workshop on Security of the Internet of Things.

Sklavos, N., & Zaharakis, I. D. (2016, November). Cryptography and Security in Internet of Things (IoTs): Models, Schemes, and Implementations. In New Technologies, Mobility and Security (NTMS), 2016 8th IFIP International Conference on (pp. 1-2). IEEE.

Skarmeta, A. F., Hernandez-Ramos, J. L., & Moreno, M. V. (2014, March). A decentralized approach for security and privacy challenges in the internet of things. In Internet of Things (WF-IoT), 2014 IEEE World Forum on (pp. 67-72). IEEE.

Symantec. (2016). An Internet of Things Reference Architecture. Retrieved from: https://www.symantec.com/content/dam/symantec/docs/white-papers/iot-security-reference-architecture-en.pdf

T.K, A., & Jebakumar, R. (2018). Security & privacy in IoT Data Provenance. International Journal of Engineering and Technology, 10(3), 843-847.

Weber, R. H. (2010). Internet of Things–New security and privacy challenges. Computer law & security review, 26(1), 23-30.

Westin, A. F. (1968). Privacy and freedom. Washington and Lee Law Review, 25(1), 166.

Ziegeldorf, J. H., Morchon, O. G., & Wehrle, K. (2014). Privacy in the Internet of Things: threats and challenges. Security and Communication Networks, 7(12), 2728-2742.