EA 874 Blog Topic 5 Security Architecture

Vulnerabilities

 

We all my have heard about the Equifax security breach. The core of the issue was an attacker was able to exploit a known vulerablilty in one of their web servers. This exploit allowed the hacker to gain access to the internal network and ultimately steal personal information such as social security number, driver license number, name and address among other personal information for roughly 143 million customers.

The vulnerability was discovered and a patch was released in March of 2017. This means that the Equifax patching team had over two months to patch the vulnerability which would have thwarted hackers attempts to comprimise the system. Hoevere, Equifax did not patch their systems and the data was stolen sometime in mid May of 2017. Things got worse from there. The company did not report the breach for another six weeks and there were also reports of seniro executives selling Equifax stocks prior to the public being notified of the breach.

In investigation is still ongoing, but it is clear, all security architecture, processes and procedures completely broke down at this company. As we move faster with the implementatiions of technology and with machine learning and AI becoming more pervasive in our personal and professional lives. It is imperative that not only individuals, but companies step back and take a hard look at their security architectures and risk management. This was a completely avoidable event and should never have happened.

 

 

 

Data Security

With the increase in devices that create data and the systems that use data, there has been a paradigm shift in how to security data. Typically, in the past, data has been secured in siloed application or file share. Users with access would then consume the data form those locations. IN this model there were many security measures in place, but limited to the systems and file stores. Now, we must look at how to secure the data itself, regardless of its location.

Data classification is almost as elusive as big foot, companies like the idea but rarely implement such a process.   As we explode with data, we need to understand the type of data we are generating and what type of risk it opens. For example, data that may be generated from systems that show general health or telemetry data should not be protected in the same way as some financial or intellectual property data. Therefore, there should be a multi-layer approach and security should be applied to the data regardless of its location.

Security controls need to adapt to the new way data is used and how it is transferred. Companies should start taking a more risk based approach to data security. Additionally, they should start leveraging technologies such as application firewalls, certificate and multi-factor based authentication. Ensure backups are stable and solid and test restores. Encrypting all data, data should never be stored or transferred un-encrypted. Lastly companies should constantly test their controls. You never know where your weaknesses are until you test and you never know what can be possible until you test against that threat. This helps fortify areas that may otherwise be weak.

Encryption

Encryption is the process of changing the presentation of information in a way that is unreadable to others unless they have a key which deciphers the data back to its readable format. With the explosion in the amount of data created; encryption has become more popular because a lot of this new data could be very damaging if it were to be compromised.   Companies, governments and individuals have been using encryption to secure data for years. The challenge has always been keeping up with the encryption algorithms. Because faster computers and more intelligent algorithms keep cracking the encryption. For example; DES was one of the first encryption standards used, and has since been replaced by triple DES and other encryption standards due to its vulnerability to be cracked by high performing computers.

With the recent data breaches and more ransomware attacks, companies will begin to escalate their encryption competencies and start to use this as a strategic position to protect their customers data and their intellectual property.

 

References

Chicago Tribune. (September, 2017). The Equifax Breach: What lesson will other companies learn?. Retrieved from https://search-proquest-com.ezaccess.libraries.psu.edu/docview/1938147054?pq-origsite=summon&https://search.proquest.com.ezaccess.libraries.psu.edu/usmajordailies?accountid=13158

Wikipedia. (September, 2017). Retrieved from https://en.wikipedia.org/wiki/Equifax

Gerber, S. August 23. 13 Ways companies should improve their data security in the age of IoT. Retrieved from https://thenextweb.com/entrepreneur/2016/08/23/13-ways-companies-improve-data-security-age-iot/

 

EA 874 Blog Topic 4 Technology Infrastructure Architecture

Dominic Patruno

IoT

 Internet of Things also known as IoT is a network of devices embedded with software, sensors and actuators all connected together collecting and possibly transferring data (Wikipedia, 2017).  The purpose of IoT devices is to connect the physical world with the computer based systems to track, monitor and these devices with increased efficiency, accuracy and limited human intervention.

IoT has been in use for quite some time, the airline industry has been using sensors to monitor engine performance and maintenance for years.  However with the ever increasing growth of IoT devices and the use not only in commercial but now consumer spaces, it is important that security be part of the architecture and support moving forward.

More and more devices are being connected such as phones, fitness trackers, automobiles and watches, those devices and the data they collect become a target for hackers.  Manufacturers and consumers must be vigilant in the security of their devices and ensure they are kept up to date in software updates.

As manufacturers and consumers enter the IoT space, they need to consider the following best security practices.  Data collection, understand the terms on how the data is collected and used, additionally be sure how the data is transferred and to whom.  Keep up on the how devies are secured and how the companies are looking to keep their devices secured.  Security threats are constantly evolving and so should the products to address them.  Stay informed of legislation that will govern privacy standards for consumers, be sure the products you purchase and or manufacture are adhering to these practces and governance.

 

Edge Computing

Edge computing is the processing of data at the edge of the network closet to where the data is being captured (Wikipedia, 2017).  This edge computing uses cloud computing technologies to process and analyze data and makes decisions before sending the data to a central repository, typically in a centralized data center or hybrid cloud.

The difference between edge computing and just having servers on premise is the purpose and the technology.  In the case of having on premise servers for computing was to delivery applications.  In this case the main goal of edge computing is to deliver data processing and analytics, while reducing network bandwidth requirements and data latency.

As more and more IoT devices become embedded in our organizations, and begin collecting more data.  It will be imperative that we start to create these edge computing environments as data collection and processing points to handle the sheer volume of data.  Additionally, these edge computing environments can act as continuous improvements hubs that analyze data and act based on the analysis.

I believe this is still a new and evolving technology and will continue to mature and adapt to the needs of the market.  Vendors such as Cisco, Microsoft and Google are watching very closely and placing bets where they feel they can make a difference.

 

Wearables

Wearable technology is technology that can be worn on the body and is typically connected to the internet either through a smart phone or its own network connection.  Currently wearables are mostly novelty items, in that they are typically used to track health, stress and sleep monitoring.  There has been some clothing made that will light up and create designs with lighting, also some glasses that allow for embedded documents to display and the ability to take picture and stream live data.

As the technology enhances and the laws become more supportive of wearables, I think we can se greater value and effectiveness in their use.  For example, in sports, if a shirt could monitor and track the health and stamina of a player, they could then use that information to know when to rest or keep the player in the game.  Giving them a competitive advantage to their opponents.  Additionally, the same technologies can be used for patients that are being monitored for stress tests.  Instead of sending the patient home with electrode connections and a data gather box, they just need to wear a special shirt.

Glasses can have many different applications as well.  For example, in manufacturing, when a technical is building a car or even kitting a multi-part product, there could be instructions that are visible through the glasses providing real time instructions and offering better quality and speed to the assembly process.

In summary as IoT grows, I think the wearables market will grow as well.  Similar to IoT, security will need to be top of mind for manufacturers and consumers.

 

 

References

Retrieved October 6, 2017 from https://en.wikipedia.org/wiki/Internet_of_things

Joyce, S. (August 2017).  The Next Stage in the Evolution of the Internet of Things – Security. Retrieved October 6, 2017 from http://usblogs.pwc.com/emerging-technology/evolution-of-iot-is-security/

Retrieved October 7, 2017 from https://en.wikipedia.org/wiki/Edge_computing

Retrieved October 8, 2017 from https://en.wikipedia.org/wiki/Wearable_technology