Search This Blog

Monday, July 8, 2019

Week 06 - New Technology Augmented Reality

TL:DR - Augmented Reality to fundamentally reshape how humans interact with the physical world


Augmented Reality (AR) and Virtual Reality (VR) are colossal technology trends to-date. AR is an “enhanced” version of reality using technology to superimposed computer-generated information like sounds, images, and text over a user’s physical real-world environment to provide assistance in everyday activities. Thus, enhances one’s perception of reality rather than replacing it. This technology shouldn’t be mistaken for VR where an entirely computer-generated environment is created for the user to inhabit and interact with.

Figure 1: Reality grading

Augmented reality is not a new technology, but some a form of it has been around for years. An example, the heads-up display in fighter aircraft show information about the attitude, direction and speed of the aircraft. The pivot point to bringing this technology to the general consumer started with Google Glass in 2013. Several categories of augmented reality technology exist, each with varying differences in their objectives and applicational use cases:

  • Marker-based (Image Recognition): The digital world is anchored to the real world objects. A camera and visual marker combined to produce a result only when the marker is sensed by a reader.
  • Markerless (location-based, position-based, or GPS): Uses a combination of camera systems, dedicated sensors (GPS, digital compass, velocity meter, or accelerometer), and complex math to accurately detect and map the real-world environment based on location.
  • Projection: Projects digital images with artificial light directly onto objects or surfaces in the real world. The light senses the human interaction (i.e. touch) of that projected light.
  • Superimposition: Uses object recognition either partially or fully replace an object within the user’s environment with a digital image.

Figure 2: Timeline

AR can be displayed on various devices and involves technologies such as simultaneous localization and mapping, depth tracking, and the following components:

Cameras and sensors to collecting data about user’s interactions for processing.
Processing similar to computers requiring a central processing unit, graphical processing unit, storage, memory, and other components to measure speed, angle, direction, orientation in space, etc.
Projection as a means to display the digital information data onto a surface for viewing.
Reflection mirror to assist human eyes with proper alignment.

Figure 3: AR components

Augmented reality devices come in multiple form factors:
  • Head-mounted
  • Eyeglasses
  • Contact lens
  • Virtual retinal displays
  • EyeTap
  • Handheld
  • Spatial

The use case for augmented reality are endless where the sky is the limit. This technology serves every industry here is a listing of only a small amount of use cases, https://uploadvr.com/augmented-reality-use-cases-list/. Currently I am assisting the organization I work for with bringing on Augmented Reality in a secure manner for Utility applications for Electrical Utility and Water Utility. Just imagine the ability of field workers not relying on 2D drawing or hardcopy drawings, but a visual overlay of the infrastructure that is underground overplayed to the physical space the user is occupied to make decision and work safely in the field.

Figure 4: Overlay example

The following are videos on how augmented reality change the world.

This video has humanistic discussion at a personal level that is quite inspiring. From 3:10 - 4:37 it provides excellent illustration of use cases.


This video is so revolutionary of augmented realities potential.


Augmented Reality has the ability to fundamentally reshape how humans interact with the physical world. As devices adapt to the new technology, the growth of Augmented Reality has no limitations.

Monday, July 1, 2019

Week 05 - Internet of Things

TL:DR - Cool is fun, but a balance between functionality and security needs to occur.


The Internet of Thing (IoT). Kevin Ashton, in a presentation of Procter & Gamble in 1999, coined the term “Internet of Things.” What is it? “The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network” thereby facilitating human to machine and machine to machine interactions.

The concept is that all the things in the world and connecting them to the Internet. The IoT is a network of connected things with built in sensors which integrates data from the different devices and applies analytics about the environment around them to share the most valuable information with applications built to learn and adjust itself accordingly to address specific needs.

  • Sensor and or device that may include a collection of sensors
  • Connectivity
  • Data processing
  • User interface
These sensors/devices vary in degrees of complexities and are far ranging like camera, accelerometer, GPS, temperature gauges, etc. The data collected is transmitted over mediums of communication and transports such as cellular, satellite, wireless (Wi-Fi), Bluetooth, wide-area networks (WAN), low power wide area network (LPWAN) or connecting directly to the internet via ethernet. Software then performs processing on the acquired data. Finally, the information is made available to the end-user that may have the ability to interact with the device or the device can perform actions automatically based on predefined rules.

Figure 1: Example of process from Data Flair


Imagine you wake up at 7am every day to go to work. Your alarm clock does the job of waking you just fine. That is, until something goes wrong. Your train’s cancelled and you have to drive to work instead. The only problem is that it takes longer to drive, and you would have needed to get up at 6.45am to avoid being late. Oh, and it’s pouring with rain, so you’ll need to drive slower than usual. A connected or IoT-enabled alarm clock would reset itself based on all these factors, to ensure you got to work on time. It could recognize that your usual train is cancelled, calculate the driving distance and travel time for your alternative route to work, check the weather and factor in slower traveling speed because of heavy rain, and calculate when it needs to wake you up so you’re not late. If it’s super-smart, if might even sync with your IoT-enabled coffee maker, to ensure your morning caffeine’s ready to go when you get up.

History

We are living connected lives filled with internet-enabled devices that learn our preferences and provide the experiences we want to make our lives more convenient. And the technology that makes it possible to connect our lives is expanding. There are several types of timelines like Industrial Internet of Things and variations of timelines. Many timelines indicated the point in time of inception is when the name was spoken in 1999 with a follow-up with the first Internet connected refrigerator by LG. The best and most informative timeline is at Tiki-Tiki.

Figure 2: IoT devices to people from Data Flair

There are already more connected things than people in the world with total spending on IoT endpoints and services to reach almost $2 trillion in 2017.

Security

The sins of the past for Industrial Control Systems regarding security have not been learned. Security is one the biggest issues with the IoT. These sensors are collecting sensitive data, what you say and do in your own home. Many IoT devices don’t include basics security. A well known botnet was dubbed Mirai. Mirai is IoT specialized malware that uses common default usernames and passwords (“admin” and “password”) to gain access to IoT devices. An individual IoT devices cannot perform much of an attack; however, the combination of millions of devices allows was used to perform distributed denial of service (DDoS) attacks on Dyn, a company that provides domain name services to major companies. There are other incident like hacking a Jeep by manipulating the air conditioner, able to steer the car, and turn the engine off.

In search of information regarding securing IoT, virtually every resource found on initial search concluded for end users to take action and not address at the root of the product (hardware, software, and configuration). Norton provided 9 measures a user can take:
  • Install reputable internet security software
  • Use strong and unique passwords
  • Read the privacy policy of the apps
  • Purchase reputable brands
  • Know what data the device or app wants to access
  • Use a VPN to transmit data
  • Patch the device
  • Use caution when using social sharing features
  • Never leave your smartphone unattended if you’re using it in a public space
The Internet of Things are components, sensors, and other everyday objects being combined with Internet connectivity and powerful data analytic capabilities that promise to transform the way we work, live, and play. However, the Internet of Things raises significant challenges that could stand in the way of realizing its potential benefits. Be responsible as a vendor and protect yourself as a user.

Monday, June 24, 2019

Week 04 - Security Awareness and Training

TL:DR - Learning is a continuum that requires understanding what you are trying to accomplish that is combined with soft skills for delivery to change the culture.

The National Institute of Standards and Technology developed a document on how to create a Security Awareness Program that fairly ok.

Employees require additional training to increase their awareness, knowledge, skills, and abilities in security. They are the last defense against intentional or unintentional actions that may cause harm; whether it be a physical item, information on paper or digital, actions of destruction, or compromise. Success of a security program is based on employees understanding the importance of their role in protecting the organization’s assets and their own personal lives and how they fit into the overall picture and change their behavior and organization’s culture.

Learning is a continuum; it starts with awareness, builds to training, and evolves into education. The following definitions explains the difference in the continuum:

  • Awareness: The purpose of awareness is to focus attention on security o allow individuals to recognize security concerns and respond accordingly.
  • Training: The purpose of training is to produce relevant and needed security skills and competencies by practitioners of functional specialties other than security (e.g., management, systems design and development, acquisition, auditing) that seeks to teach skills).
  • Education: Integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce security specialists and professionals capable of vision and proactive response.

Training is provided in many forms as determined by the content, target audience, and maximizing effectiveness. The following methods may be employed: required reading, computer-based, web-based, off-site professional training, classroom, testing like phishing campaigns, posters, or infographics. This training has a level of force and complexity applied depending upon the target audience such as a general employee/user receives basic awareness and or training at a specified interval; however, some critical roles will receive additional training in other methods such as security professionals, management, or technical administrators that is tailored to their functions.

Most training forces on the general employee/user. The employee/user is the largest audience of an organization and considered the weakest link to security because they are capable of bypassing safeguards. However, they are capable of being the greatest defender of the system. An awareness and training program is the vehicle for communicating security requirements to the user population. The content explains:

  • Proper rules of behavior of the subject like use of systems and information
  • Specifies policies and procedures that need to be followed
  • Stating sanctions imposed due to noncompliance
  • Advising the expectations from a user

Changing the behavior is key; however, less than 15 percent of security professionals have a background in soft skills such as training, marketing, or communications. Lance Spitzner the “Three C's of Security Awareness” for success of the program: communication, collaboration, and culture. This is accomplished through clearly explaining why they should care, work on how to communicate what we need them to do in simple terms, and validate that people are exhibiting those behaviors. A picture is worth a thousand words, the following are two awareness examples.

Figure 1: Poster

Figure 2: Infographic

Monday, June 17, 2019

Week 03 - Demystify First Two Steps of the RMF

TL:DR - Determining the baseline controls to be implemented for the system is half the battle, G.I. Joe.


An explanation of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) was published on June 10, 2019. This is a follow-up to that post by explaining the processes regarding the first two steps of the RMF and how it would be used by an organization. In epic fashion, the United States (U.S.) federal government, NIST, did not create a single document for these steps (Categorization and Select Controls) for simple understanding, but created an absorbent amount of documents to secure information systems. These documents are interconnected and just one document does not be explained for holistic understanding. The following documents are referenced:



FIPS-199, Standards for Security Categorization of Federal Information and Information Systems, requires that federal government agencies categorize information and information systems. NIST Special Publication (SP), 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume I & II, is the guideline for establishing the categorization and provides the various information types, descriptions, and suggested information ranking for confidentiality, integrity, and availability.

In order to categorize a system, the Mission-Based Information Types and Delivery Mechanisms (NIST SP 800-60, Table 4), Services Delivery Support Functions and Information Types (NIST SP 800-60, Table 5), and Government Resource Management Functions and Information Types (NIST SP 800-60, Table 6) are used to determine which information types exist or supported by the system. These tables are included for reference:




In addition, the following are considerations for when categorizing.
  • Business and mission areas 
  • Indicating whether the information is time-critical in rationales for assigning availability impact levels 
  • Rationales for assigning information to the General Information Type 
  • Results of reviewing the identified security categorizations for the aggregate of information types 
  • Effects of various factors and circumstances (e.g., data aggregation, critical system functionality, privacy, trade secrets, critical infrastructure, aggregation, critical system functionality, extenuating circumstances) on the system category 

The results of the analysis are to document as an example in the table shown below. For each information type, an example of an explanation is provided to justify selection of that type. These information types are listed in Step 1 of the table. Step 2 of the table identifies the provisional confidentiality, integrity, and availability categorization of each information type, while Step 3 identifies any adjustments to it. Finally, Step 4 identifies the overall categorization of the system using the “high water mark” from the collection of information types selected from NIST 800-60 as noted above.


At this point, the system reviewed has been categorized. Then FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, requires that the minimum security requirements (a.k.a. “Security Controls”) are applied to the system based on its categorization of the system which is located in NIST SP 800-53, Security and Privacy Controls for Systems and Organizations. 

Example of controls to be applied based on its categorization:


Security controls are physical, technical, and or administrative safeguards or countermeasures to avoid, counteract, or minimize loss/unavailability due to threats that cause risk. Administrative controls are actions taken by people as directed by policy and procedures. Technical controls are carried out or managed by automated systems. These controls are categorized as preventive, detective, corrective, and compensatory (SANS). It is important to note that NIST SP 800-53 states what the controls are, but allows the organization to define parameters within the control and how to implement them.

These four documents are basic building blocks for protecting systems owned by the U.S. federal government. There are other documents that are connected like creation of the System Security Plan (document dhow the controls are implement) and creation of risk assessment documents (detailing and explaining risk to the confidentiality, availability, and ingenuity of the system and or data based on how the controls are implemented). Even though controls can be required, it doesn’t mean that they are effective. How the controls are implemented and managed are more important in meeting the intent. Furthermore, each systems is different and where one method and or tool works for another system may not be the right solution for another. The federal government is moving away from compliance based assessment of controls to effectiveness of the control and capabilities deployed. This model has been dubbed The Cybersecurity Framework.

Monday, June 10, 2019

Week 02 - National Institute of Standards and Technology Risk Management Framework


TL:DR - The goal is not to bring risk to zero, but to an acceptable level of risk the organization is willing to tolerate.


Introduction

The United States Congress passed Public Law 107 - 347 Titled E-Government Act of 2002. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.

SEC. 303. National Institute of Standards and Technology (NIST) is charged with the institute mission of developing standards, guidelines, and associated methods and techniques for information systems based on an integrated Risk Management Framework (RMF).

Publications in NIST’s Special Publication (SP) 800 series present information of interest for computer security and privacy needs. The publications cover virtually every aspect of computer security. These documents recommend procedures and criteria for assessing and documenting threats, vulnerabilities, and implementing security measures to minimize the risk.

The foundation is based on the NIST SP 800-37, Risk Management Framework For Information Systems and Organizations. The NIST RMF “emphasizes risk management by promoting the development of security capabilities throughout the system development life cycle (SDLC); maintaining situational awareness of the security posture of those systems on an ongoing basis by means of continuous monitoring processes. Furthermore, providing information to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations from the use and operation of their systems.”

However, it is SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, that provides a structured approach for managing risk through assessing, responding to, and monitoring. The document includes the components of risk management; life cycle-based process; and additional information such as process tasks, governance models, strategies, etc. This approach is to be applied throughout the entire organization: organization level, mission/business process level, and system level.

The risk management cycle is an iterative and continuous process, constantly informed by the changing risk landscape, organizational priorities, and functional changes. It is carried out as a holistic activity from the strategic to the tactical level. The risk management cycle provides four elements that structure an organization’s approach to risk management, as represented in Figure 1:
Figure 1: Risk Management Framework Lifecycle

Frame

The first component of risk management addresses how organizations frame risk by describing the environment in which risk-based decisions are made. The risk frame delineates the boundaries for risk-based decisions within organizations. These boundaries are based on:

  • Assumptions (e.g., threats, vulnerabilities, consequences/impact, and likelihood of occurrence)
  • Constraints (e.g., imposed by legislation, regulation, resource constraints (time, money, and people) and other factors identified by the organization)
  • Tolerance (e.g., levels of risk, types of risk, and degree of risk uncertainty that are acceptable)
  • Priorities and trade-offs (e.g., the relative importance of missions/business functions, trade-offs among different types of risk that organizations face, time frames in which organizations must address risk, and any factors of uncertainty that organizations consider in risk responses)

which that affect how risk is assessed, responded to, and monitored.

Assess

The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. Assessment is the process of identifying, estimating, and prioritizing risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur. It should identify:

  • Threats
  • Vulnerabilities
  • Consequences (Impact) 
  • Likelihood

The assessment approach is usually quantitative, qualitative, or semi-qualitative; however, this document utilized the qualitative method. In qualitative risk assessment, the focus is on perceptions about the probability of a risk occurring and its impact on relevant organizational aspects which represented in scales such as “low, medium, or high”

Respond

The third component of risk management is about addressing how organizations respond to risk once that risk is determined based on the results of risk assessments (controls). “The purpose of the risk response component is to provide a consistent, organization-wide, response to risk in accordance with the organizational risk frame by: developing alternative courses of action for responding to risk; evaluating the alternative courses of action; determining appropriate courses of action consistent with organizational risk tolerance; and implementing risk responses based on selected courses of action.” There are five basic strategies:

  • Defense: Applying safeguards that eliminate or reduce the remaining uncontrolled risk. 
  • Transferal: Shifting risks to other areas or outside. 
  • Mitigation: Reducing the impact to information assets should an attacker successfully export a vulnerability. 
  • Acceptance: Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control. 
  • Termination: Removing or discontinuing the information asset from the organization. 


Acceptance is the decision to do nothing to protect the asset from the risk and accept the outcome from any resulting exploitation. This strategy assumes that it can be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the expenditure. This strategy is recognized valid only when:

  • Determined the level of risk,
  • Assessed the probability of attack and likelihood of exploitation,
  • Estimated the potential damage,
  • Evaluated the feasibility of potential controls,
  • Performed a cost-benefit analysis, and
  • Determined that the costs to control do not justify the costs to implement and 
maintain.

Monitor

The fourth and last component is to provide organizations with the means to verify compliance, evaluate effectiveness of response controls, and identify changes as an iterative feedback loop for continuous improvement in the risk-related activities of organizations. This is truly the test and audit phase of output to increase risk awareness in developing understanding of the ongoing risk. This is accomplished through tools, techniques, policy and procedure, and organizational programs.

  • Assessment program that evaluates the gathering information about different aspects of the environment and practice as observed to determine the adequacy of response controls for managing identified risks.
  • Conduct risk assessments based on this framework document at a defined frequency and or certain criteria defined in a procedure require it. 
  • Develop metrics that are quantifiable to gauge performance or progress about how processes are functioning and provide bases for suggestion of improvements.
  • Defense and mitigating responses have a reporting function either manual or automated to include change management.
  • Institute security testing; however, this activity should be used with extreme caution.

Implementation at System Level

Execution of the framework within an environment is visually depicted and described below.

Core NIST Documents:

Note: Federal Information Processing Standards Publication (FIPS) Publication (PUB)
  • FIPS-199, Standards for Security Categorization of Federal Information and Information Systems
  • FIPS-200, Minimum Security Requirements for Federal Information and Information Systems
  • NIST SP 800-18, Guide for Developing Security Plans for Systems
  • NIST SP 800-30, Guide for Conducting Risk Assessments
  • NIST SP 800-53, Security and Privacy Controls for Systems and Organizations
  • NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories
Figure 2: System Certification & Accreditation


  • Categorize: Categorize the system and the information processed, stored, and transmitted by that system based on an impact analysis.
  • Select: Selecting an initial set of baseline security controls based on the categorization as well as tailoring and supplementing the security control baseline as needed.
  • Implement: Implementing security controls and describing how the controls are employed within the system and its environment of operation.
  • Assess: Assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Authorize: Management authorizes a system to operate or continue to operate based on the results of a complete and thorough security control assessment.
  • Monitor: Continuously monitor the security controls to ensure that they are effective over time as changes occur in the system and the environment in which the system operates.

Conclusion

Systems are subject to threats that can have adverse effects on an organization’s operation, assets, individuals, and other entities through the exploitation of vulnerabilities that compromise confidentiality, integrity, and availability. Every decision is based on risk. The goal is not to bring risk to zero, but to an acceptable level of risk the organization is willing to tolerate. The statement is made because an organization doesn’t have unlimited resources and a perfectly secure systems is one that has no data with the power cord removed from the wall, thus non-functional.

Sunday, November 27, 2016

Air Gapped Systems (Part 3) - DiskFiltration

The past two post were about extracting data or compromised from air gapped systems via USB flash drive such as Stuxnet or through acoustic sounds generated by the machine's processor and cooling fans called Fansmitter. Researchers at Israel's Ben Gurion University using noises emitted from the device's hard drive.

The attack does require malware be installed on the target. The malware generates the acoustic emissions at specific audio frequencies by controlling the movements of the HDD's actuator arm to specific audio frequencies that can be picked up by a nearby receiver, such as a smartwatch, laptop, or smartphone. It doesn't require the presence of speakers or audio hardware from the target. The attack is effective in a range of six feet at a transfer rate of180 bits per minute.

Countermeasures:

Hardware
SSD
Quite HHD
Dampener cases
Noise detectors
Jammers
Software
HIDS/HIPS
Automatic Acoustic Management (AAM)
Procedural
Zone seperation