Data Privacy Archives - CUTTING EDGE VISIONARIES

Information security

August 3, 2022 by Gaurav Ahujain Cyber security, Data PrivacyLeave a Comment

Reading Time: 5 minutes

What do we first mean by “Security”?

“The quality or state of being secure—to be free from danger.” A successful organization should have multiple layers of security in place:

• Physical security: safeguarding personnel, hardware, software, networks, and data against physical actions and events that could result in significant loss or damage to an enterprise, agency, or institution.

• Operations security-Protection of the details of a particular operation or activity.

• Communication Security-Protection of organization communication media, technology, and content

• Network Security-Protection of Networking components, connections and contents.

• Information Security-Protection of information and its Critical elements.

Information Security

Information security refers to securing the data or information and information systems from unauthorized access, unauthorized use, misuse, destruction, or alteration. It plays a vital role in protecting the interests of individuals who depend on information or data. Information security aims to protect the confidentiality, integrity, and availability of information.

Elements of Information Security

Confidentiality:

Information is accessible only to those who are authorized to view it.

Integrity:

Information, especially while being communicated, is protected against unauthorized modification.

Availability:

Information is invulnerable to attacks or is recoverable in a secured way, i.e., it is available (only to authorized) when it should be.

Non-Repudiation:

The sender of information cannot deny that information has NOT been sent by him.

The Need for Information Security

-Protecting the functionality of the organization

-Enabling the safe operation of applications

-Protecting the data that the organization collects and uses

-Safeguarding technology assets in organizations

The Importance of Information Security

Companies need to be confident that they have strong data security and that they can protect against cyber-attacks and other unauthorized access and data breaches. Weak data security can lead to key information being lost or stolen, creating a poor experience for customers that can lead to lost business and reputational harm if a company does not implement sufficient protections over customer data and information security weaknesses are exploited by hackers. Solid information security reduces the risks of attacks in information technology systems, implements security controls to prevent unauthorized access to sensitive data, prevents service disruption caused by cyber-attacks such as denial-of-service (DoS attacks), and much more.

Information Security Attack Vectors

An attack vector is a pathway or method used by a hacker to illegally access a network or computer to exploit system vulnerabilities. Hackers use numerous attack vectors to launch attacks that take advantage of system weaknesses, cause data breaches, or steal login credentials.

Cloud Computing Threats:

Cloud computing is an on-demand delivery of IT capabilities where sensitive data of organizations and clients is stored.

The flaw in one client’s application cloud allows attackers to access other clients’ data.

Advanced Persistent Threats:

An APT is an attack that focuses on stealing information from the victim’s machine without the user being aware of it.

Viruses and Worms:

Viruses and worms are the most prevalent networking threats that are capable of infecting a network within seconds.

Mobile Threats:

The focus of attackers has shifted to mobile devices due to the increased adoption of mobile devices for business and personal purposes and comparatively lower security controls.

Botnet:

A botnet is a huge network of compromised systems used by an intruder to perform various network attacks.

Insider Attack:

It is an attack performed on a corporate network or a single computer by an entrusted person (insider) who has authorized access to the network.

Information Security Threat Categories

Network Threats

-Information gathering

-Sniffing and eavesdropping

-Spoofing

-Session hijacking and Man-in-the-Middle attack

-DNS and ARP Poisoning

-Password-based attacks

-Denial-of-Service attack

-Compromised-key attack

-Firewall and IDS attack

Host Threats

-Malware attacks

-Footprinting

-Password attacks

-Denial-of-Service attacks

-Arbitrary code execution

-Unauthorized access

-Privilege escalation

-Backdoor attacks

-Physical security threats

Application Threats

-Improper data/input validation

-Authentication and Authorization attacks

-Security misconfiguration

-Information disclosure

-Broken session management

-Buffer overflow issues

-Cryptography attacks

-SQL injection

-Improper error handling and exception management

Cybersecurity

Cybersecurity is the protection of internet-connected systems such as hardware, software, and data from cyber threats. The practice is used by individuals and enterprises to protect against unauthorized access to data centres and other computerized systems.

Distinctions between Cybersecurity and Information security

Cybersecurity is meant to protect against attacks in cyberspace such as data, storage sources, devices, etc. In contrast, information security is intended to protect data from any form of threat, regardless of analogue or digital. Cybersecurity usually deals with cybercrimes, cyber fraud, and law enforcement. On the contrary, information security deals with unauthorized access, disclosure modification, and disruption.

Cybersecurity is handled by professionals who are trained to deal with advanced persistent threats (APT) specifically. Information security, on the other hand, lays the foundation of data security and is trained to prioritize resources first before eradicating threats or attacks.

Information Security Laws and Standards

• Payment Card Industry Data Security Standard (PCI-DSS)

• ISO/IEC 27001:2013

• Health Insurance Portability and Accountability Act (HIPAA) 1996

• Sarbanes Oxley Act (SOX) 2002

• The Digital Millennium Copyright Act (DMCA) 1998

• Federal Info Security Management Act (FISMA) 2002

• Cyber Laws

Conclusion

In conclusion, nowadays the value of data has reached a critical point, becoming one of the most important assets that a company can possess, while collecting, processing, transmitting, and storing it has become too complex.

Information security is designed to protect the confidentiality, integrity, and availability of computer systems and physical data from unauthorized access, whether with malicious intent or not.

Confidentiality, integrity, and availability are referred to as the CIA triad.

Every information security program is concerned with protecting the CIA triad while maintaining organizational productivity.

“The goal of information security is not to bring residual risk to zero; it is to bring residual risk into line with an organization’s comfort zone or risk appetite.”

IoTOGRAPHY

May 30, 2020 by Aman Gondaliyain Cyber security, Data Privacy, TechnologyLeave a Comment

Reading Time: 5 minutesIoT Overview

We are living in a world where technology is developing exponentially. You might have heard the word IoT, Internet of Things. You might have heard about driverless cars, smart homes, wearables.

The Internet of things is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction

IoT is also used in many places such as farms, hospitals, industries. You might have heard about smart city projects too (in India). We are using lots of sensors, embedded systems, microcontrollers and lots of other devices connecting them to the internet to use those data and improve our current technology.

Our sensors will capture lots of data and it will be used further depending on the user or owner. But what if I say this technology can be harmful too? It may or may not be safe to use it. How?

These data transferring from using IoT from source to its destination can be intercepted in between and can be altered too. It can be harmful if the data is very important, For ex. Reports of a patient generated using IoT can be intercepted and altered so the doctor can not give the correct treatment to the patient. Also, some IoT devices can be used by the Army transferring very secret data. If it can get leaked, then it can create trouble for the whole country.

The Information-technology Promotion Agency of Japan (IPA) has ranked “Exteriorization of the vulnerability of IoT devices” as 8th in its report entitled “The 10 Major Security Threats”.

So, can we just stop using IoT? No, we can’t. We have to secure our data or encrypt our data so the eavesdropper can never know what we are transferring.

Cryptography Overview :

Cryptography is a method of Protecting information and communications through the use of codes, so that only those for whom the information is intended can read and process it.

There are mainly two types of encryption methods.

Symmetric key
Asymmetric key

Symmetric key uses the same secret key to encrypt or decrypt data while Asymmetric key has one public key and one private key. A public key is used to encrypt data and it is not a secret, anyone can have it and use it to encrypt data but only a private key (of the same person whose public key was used) can be used to decrypt that plaintext.

In Cryptography, We usually have a plaintext and we use some functions, tables and keys to generate ciphertext depending on our encryption method. Also In order to make our data exchange totally secure, we need a good block cypher, secure key exchange algorithm, hash algorithm and a message authentication code.

Block cipher – It is a computable algorithm to encrypt a plaintext block-wise using a symmetric key.

Key Exchange Algorithm – It is a method to share a secret key between two parties in order to allow the use of a cryptography algorithm.

Hash Algorithm – It is a function that converts a data string into a numeric string output of fixed length. The hash data is much much smaller than the original data. This can be used to produce message authentication schemes.

Message Authentication Code (MAC) – It is a piece of information used to authenticate the message. Or in simple words, to check that the message came from the expected sender and the message has not been changed by any eavesdropper.

NOTE: you might wonder why we don’t just send data using key exchange algorithms when it is reliable to share secret keys. You can search for it or tell you in short. It is neither reliable nor secure to share data using key exchange algorithms.

LightWeight Cryptography:

Encryption is already applied at the data link layer of communication systems such as the cellphone. Even in such a case, encryption in the application layer is effective in providing end-to-end data protection from the device to the server and to ensure security independently from the communication system. Then encryption must be applied at the processor processing the application and on unused resources and hence should desirably be as lightweight as possible.

There are several constraints required to achieve encryption in IoT.

Power Consumption
Size of RAM / ROM
Size of the device
Throughput, Delay

Embedded systems are available in the market with 8bit, 16-bit or 32-bit processors. They have their own uses. Suppose we have implemented a system of Automated doors which open and close automatically at a bank. Which also counts how many people entered or left the bank. We want to keep this record secret and store it on the cloud. Using a 1GB RAM, 32bit / 64bit processor with a very good ROM just to ensure the privacy of data doesn’t make sense here. Because we will need a good space to install our setup, we will need to spend a lot more money than we should while this thing can be achieved with cheaper RAM, ROM and processor.

Keeping the above points in mind, implementing conventional cryptography in IoT which are used for Mobile Phones, Tablet, Laptop / PC, Server is not possible. We have to develop a separate field “Lightweight Cryptography” which can be used in Sensor networks, Embedded systems etc.

Applying encryption to sensor devices means the implementation of data protection for confidentiality and integrity, which can be an effective countermeasure against the threats. Lightweight cryptography has the function of enabling the application of secure encryption, even for devices with limited resources.

Talking about AES, It usually takes 128bit long keys with 128 lock size. It uses 10 rounds of different steps like subbytes, shift rows, mix columns and add round keys. Implementing this requires a good amount of space, processing speed and power. We can implement it in IoT with reduced length of key or length of the blocksize but then it will take less than 30 minutes to break AES.

There are many Lightweight cryptography algorithms developed like TWINE, PRESENT, HEIGHT etc. Discussing all of them requires a series of blogs but I am adding a table showing a comparison of some Lightweight Cryptography. You can observe changes in block size from 64 to 96 can create a huge difference in power consumption and area requirement.

Lightweight cryptography has received increasing attention from both academic and industry in the past two decades. There is no standard lightweight cryptosystem like we have AES in conventional cryptography. Research is still going on. You can get updates of the progress at https://csrc.nist.gov/Projects/lightweight-cryptography.

The whole idea behind this blog is to discuss lightweight cryptography and overview of it. 🙂

Author: Aman Gondaliya

Keep reading, keep learning!

TEAM CEV

Terrorism and Data Privacy

January 6, 2020January 12, 2020 by Sahil Makwanain Comps, Computer Science, concerning, Cyber security, Data PrivacyLeave a Comment

Reading Time: 5 minutesTerrorism is very scary, especially when it happens close to home and not in some faraway place. Nobody likes to be afraid, and we were eager to make the fear go away. So we demanded more security. In the last decade, it’s become increasingly normal for civil liberties to be eroded and for government agencies to spy on citizens, to collect and store their personal information. Regardless of whether you’re a fan of right- or left-wing policies, this affects every one of us.

So we have to take a look at the data and ask ourselves honestly, “Has all of this actually made us safer?”

The Beginning

After the attack of 9/11, the US government concluded that the law had not kept pace with technology. It created the Terrorist Surveillance Program initially to break communications linked to al-Qaeda. Officials were confident that if the program had been in place before 9/11, the hijackers could have been stopped. But soon the new powers were also used to prove guilt by association.

The FBI used immigration records to identify Arab and Muslim foreign nationals in the US. On this basis, 80,000 individuals were required to register, another 8,000 were called in for FBI interviews, and more than 5,000 locked up in preventive detention. Not one terrorist was found in this campaign.

In 2013 Snowden leaked the document that reveals how the government sees and stores the private data of public. They showed how the NSA(National Security Agency) can demand information about users from companies like Microsoft or Google in addition to their daily collection of data from civilian internet traffic such as email content and contact lists. So, instead of focusing on criminals, governments are increasingly turning their attention to everyone. But if you are looking for a needle in a bundle of grass, adding more grass to the bundle isn’t going to make it any easier to find the needle.

On the contrary, every recent success announced by the NSA has come from classic target surveillance. Despite high hopes, the NSA surveillance program has not stopped any major terror attack.

Apple Vs FBI

In early 2016, the FBI asked Apple to produce a backdoor program to disable the encryption of a terrorist’s iPhone. Apple publicly declined, not only because this tool could be used to permanently weaken the privacy of law-abiding citizens worldwide, but fearing to open the floodgates for governments requesting access to a technology used by billions of people, a fear shared by security experts and cryptographers. A few weeks later, the FBI revealed that they had hacked the phone themselves, basically admitting that they lied to the public about the need for a backdoor, which questions how trustworthy spy agencies are in the debate about privacy and security, especially considering that the NSA, for example, already has the capability to turn on your iPhone microphone or activate your laptop camera without you noticing. Concerns about this are often met with the argument,

“If you have nothing to hide, you have nothing to fear.”

But this reasoning depends on person to person because if a person wants to keep privacy about own life then it doesn’t mean he/she is doing anything wrong. Right now, we live in a democracy. But imagine the damage the wrong person could do with our data because data is the new treasure of the current world.

The Government uses this law for own benefits

For example, following the November 2015 Paris attacks, France expanded its already extensive anti-terrorism laws by giving law enforcement greater powers to conduct house raids and place people under house arrest. Within weeks, evidence emerged that these powers were being used for unintended purposes, such as quashing climate change protests. The governments of Spain, Hungary, and Poland have introduced more restrictive laws on the freedom of assembly and speech.

If we talk about the FBI, then there is a case of former FBI director James Comey used this NSA data for his personal use.

There is also a case of Cambridge data analytica.

Indian Cases related to Data privacy :

Now if we talk about the case of India, this data privacy issue first come is light when aadhar card details were easily available. In Supreme court hearing Unique Identification Authority of India(UIDAI), the agency implementing aadhar repeatedly argued about Aadhaar that It will help against terrorism and banking fraud by ensuring that only “genuine” persons get access to mobiles, and banking services but in reality, the bank fraud cases were increased.

There is also a big question about how these aadhar card can be misused? Adhar card become more dangerous when other documents linked with aadhar. Imagine a third party hacker can access all your data like biometrics and bank account details then he can damage you in a bad way.

None of this is effectively helping us fight terrorism. The motivation behind this might be good, even noble, but if we let our elected governments limit our personal freedom, the terrorists are winning.

Then what is the Solution?

What’s worse, if we’re not careful, we might slowly move towards a surveillance state. The data is pretty clear: the erosion of rights, along with mass surveillance, hasn’t led to significant successes so far, but it has changed the nature of our society.

Terrorism is a complicated problem…

…without simple solutions.

No security apparatus can prevent a few guys from building a bomb in their basement. Creating master keys to enter millions of phones is not the same as searching for a single house. To take full advantage of this existing condition, we need better international cooperation and more effective security and foreign policies, better application of our present laws instead of new and stricter ones that undermine our freedom. We live in Democracy and we have our rights in our hands.

Keep reading, keep learning

TEAM CEV!