Internet of Things (IoT) Basics

Internet of Things (IoT)

Internet of Things. I feel this is very late post, as per the day I am posting it. Everyone knows it and many organization have already started implementing the IoT around the globe. Many smart devices were manufactured and sold. People are very happy.

IoT belongs to multiple or many physical devices that are connected to the internet and all can collect and share data with each other without human interference. There are the computing devices connected through wireless into a network. 

IoT collects, analyzes, and processes data streams in real-time without any delay to make control decisions in an active manner.

A smart watch, smart light bulb, smart thermostat, smart air conditioner, sensors, Amazon echo, smart tv, wireless printer, audio assistant, VOIP, Washing machine, Dish washer, smart lock, smart doorbells, smart refrigerator, automobiles and many more.

There are more connected things than the total number of people in the earth. As per news from multiple vendors, it is predicted that in total there will be 100 billion connected IoT devices by 2025.

IoT consists of software defined and hardware defined product. It is virtual representation of physical product. 

Key components of IoT

• Network Infrastructure
• Gateway
• Devices or Sensors
• Cloud Infrastructure

There are affordable and reliable low power sensors are making IoT technology possible for more manufacturers now a days. 

Advantages

• Technology Optimization
• Reduced waste
• Improved data collection
• Privacy
• Ease of Use
• Increasing efficiency
• Improves tracking
• Health analysis
• Edge Computing
• More use of Industrial IoT 
• Automation

There are many industries who get benefited from IoT are;

Manufacturing, automotive, Healthcare, Transportation and logistics and Retail etc. 

As we know some of the manufacturers are adding sensors to the components of their products so that they can transmit data back about how they are performing through user experience program.

Analytics and Big data are important things that play critical role in transforming data in to useful information. Big data means a huge amount (Pb or Gb) of structured and unstructured data and analyzing those data to get the insights of the business requirement. The role of big data in IoT is to process a huge quantity of data on a real-time basis and storing them using different storage technologies.

Similarly, IoT security is very important aspect also and it needs to be taken care of in every steps during the development phase. There are many ways you can secure your IoT network devices and minimize the security risks.

On a brief note,

• Do not keep all default passwords of devices including access points.
• Use Multifactor authentication
• Use VPN and encryption technology
• Do your network segmentation 
• Update software and patch regularly 
• Monitor regularly 

Connected device are rapidly growing day by day and being popular. There is a probability of having at least one device at our home. All the connected devices are known as internet of things (IoT).

IoT is purely dependent on the sensors. Without proper sensor, IoT is like body without soul. 

The sensors are those hardware that monitors, measures and collects data. They send data to the primary device and then is processed through data analysis to GUI interface. There are many types of sensors such as:

Temperature Sensors: These sensors are often used in the Information technology, manufacturing and agriculture industries. These tiny devices measure room temperature of a device temperature within safety limit and sends data to a centralized location.

Proximity Sensors: When you walk to a store, then instantly you receive one special offer, discount via test message or application notifications in your smart phone. That's because a proximity sensor in a retail store identified you and that are open to receiving promotions. 

There are many other sensors such as humidity sensor, smoke detector, water sensor, level sensor, pressure sensor etc. 

Many luxurious cars also come in many sensors such as rain sensor, dust sensor, automatic door lock, etc.

So, this is just a basic information for your understanding. Do you have nay comments and suggestions, please post your comment. Share only if you feel its useful. 

-DR

Software Vulnerability and Security

Software Vulnerability and Security

A software vulnerability is a loophole or glitch or flaw or weakness present in the software or application or operating system. Every system has its own vulnerability let it be android, Linux, windows, Flash player, Adobe, etc.

There are many ways to find out those vulnerabilities such as scanning, injecting, scripting etc. Through scanning the web application, you can find the hole in the website or application and through scanning the physical system, you can identify the operating system and other application vulnerabilities. 

An attacker can exploit a vulnerability in software or application to steal or manipulate sensitive and critical data or information, can join the system to a botnet, install a backdoor, or plant other types of malwares, trojans etc.  Also, after penetration into one network host, the attacker could use that host to breakdown into other hosts on the same network.

To avoid, software vulnerability, Software developers must learn secure coding best practices, and automatic as well as manual security testing must be carried out during the entire software development process.

Some important software vulnerability are such as;

Buffer Overflow:

This Vulnerability occurs when a program tries to add more data is put in the fixed length buffer than its storage capacity allows. As a result, it can crash the program, corrupt data, and even cause the execution of malicious code. Coding errors are typically the cause of buffer overflow and mainly the languages like C, C++, Java are responsible for this kind of glitch.

To avoid buffer overflow, developers of applications should avoid standard library functions in C/C++ that are not bounds-checked, such as strcpy, gets, strncat() and scanf.

Sensitive Data Exposure:

Sensitive data such as addresses, passwords, and account numbers must be correctly protected. If it isn't, untrustworthy agents gain access to the sensitive data.

Broken Authentication

Authentication and session management application functions need to be executed correctly.

Security Misconfiguration

Security misconfiguration are often result of insecure default configuration, misconfigured HTTP headers, unnecessary HTTP methods. Attackers can exploit security misconfigurations to gain knowledge of the application and API components during their reconnaissance phase.

To avoid this flaw following points need to considered.

• Do not use vendor or OEM supplied defaults for system passwords and other security parameters. 
• Modify the password policy by enabling enforcement, setting maximum duration to 90 days or less. 
• Protect all systems against malware and regularly update software.
• Configure the BIG-IP ASM security policy to blacklist, safe guard your account.

Considering the software development life cycle and attack scenarios, OWASP Top 10 vulnerability came in to picture to provide more in depth security posture of software and applications. 

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.

All OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security. 

Just in a brief, below is the list of OWASP Top 10 Vulnerabilities.

• A01:2021-Broken Access Control
• A02:2021-Cryptographic Failures
• A03:2021-Injection
• A04:2021-Insecure Design
• A05:2021-Security Misconfiguration
• A06:2021-Vulnerable and Outdated Components
• A07:2021-Identification and Authentication Failures
• A08:2021-Software and Data Integrity Failures
• A09:2021-Security Logging and Monitoring Failures
• A10:2021-Server-Side Request Forgery

You can refer to OWASP website for further details.

-DR

Securing Email Server

Email Security

Email security can be assumed as describing different procedures and techniques for protecting email accounts, content, and email communication against unauthorized access, loss or compromise. Mail is the prime method or common entry point used to initiate an advanced attack. Presently everyone uses either on-premise or cloud based email and for everywhere, malware, whaling, spam and phishing emails are common. 

Many attacks usually done using misleading messages to seduce users to disclose sensitive information through requesting to open attachments or click on hyperlinks that install malware on the device. A small loophole can down the entire network. Sometimes experience professionals also fall as victim to such kind of attacks. 

So below are some best practice guides for in depth email security.

Setup SPAM filter:

A SPAM filter saves the user from all the incoming mails. This is very crucial for the email security. Dedicated appliances are available in market to handle large amount of mails. Always remember to take subscription on DNS Blackhole list. This will block most spams in mail.

A Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whether a sending host's IP address is blacklisted for email spam. Mostly all mail server software can be configured to check such lists, typically declining, or flagging messages from such harmful sites. 

Enable rate control to prevent remote senders from overwhelming the server. Enable content analysis to heuristically block or quarantine probable spam.

DLP Rules:

Set up powerful data leak prevention (DLP) rules which can help to stop outbound email data loss and can have capability to set allow/deny lists.

Enable SPF

It is used to prevent email spoofing. A sender policy framework (SPF) works by publishing a DNS record of which servers are permitted to send email from a specific domain. SPF should be enabled on all edge email server to ensure that both emails coming into your organization can be checked for SPF.

Enable DKIM

Domain Keys Identified Mail (DKIM) adds an encrypted signature on every message that can be validated by a remote server against a DNS TXT record. Failure to use DKIM decreases the integrity of email and increases the likelihood of the domain being blacklisted.

Set a Throttling Policy

In some cases, a legitimate user becomes a spammer because of falling for a phishing scam or otherwise had their password compromised. So, restrict the number of recipients per sender per day and number of emails per day to prevent the account compromised. Throttling policy settings are stored in Active Directory. With the throttling policy, users associated can have a maximum of defined concurrent requests running in Exchange Web Services.

Email Encryption

To ensure end-to-end privacy for emails is to encrypt the email itself between the sender and the recipient.

Attachment Restriction

Email attachments is also considered as an effective malware delivery system, so it’s important to restrict the types of attachments that come through your server. The most dangerous file types are executables, so extensions such as .exe, .bat, .vbs, .jar, and so forth should always be blocked. The attachment size should be restricted.

Keep Security logs

Retain all the logs. It’s a good idea to develop a log retention policy for your site. This should include what type of information is stored and for how long whether online or offline and whether the data is confidential.

There are top solution providers for email security in market and are Microsoft Defender for Office 365, Cisco Email Security, Barracuda Essentials, Forcepoint etc. 

So, this is just a basic information on email security steps. You can do further research to get the required information. 

Feel free to comment your suggestions. 

Thanks

-DR

Data Life Cycle and Protecting Data

Data Life Cycle and Protecting the Data.

The principle of integrity and confidentiality is pervasive across all stages. We should always be aware of how securely managing the personal information to prevent accidental loss or unauthorized access. Every data has its own life cycle. This life cycle is the sequence of stages that a data goes through from its initial generation/collection or capture to its eventual archival and/or deletion at the end. While protecting the data always use security by design approach. 

• Collection of Data
• Storing of Data
• Using of Data
• Sharing of Data
• Transferring Data
• Retaining Data
• Deleting Data

Collection of Data:

• While collecting data, only collect personal information for the purpose specified in your privacy notice.
• Consider the amount and type of personal data you need for your purpose.
• Never use the data for marketing, advertising, or analytics.
• Only collect personal information that is adequate, relevant, and limited to your specific purpose.
• Only use approved method to collect the data to ensure integrity and confidentiality.

Storing personal Data:

• Always ensure to store personal information in line with the data storage policy that are applicable. 
• Ensure hard copy of data is securely locked and pseudonymizing data before storing. 
• Financial records and trade secrets need to be stored with the according access and use permissions.
• The data storage solution/system needs to be adequate in terms of long period of storage capability and redundancy.
• Since, many organizations presently choosing cloud service for their primary data storage instead of their local on premise infrastructure. While this is a feasible approach, given that the cloud service provider offers acceptable and adequate redundancy, it comes with the risk of losing the full control of the data and, in cases where the data is neither encrypted in transit nor at rest, unauthorized access to the data by the provider is possible.

Using Data:

• Any changed or additional uses of personal information must be documented.
• Ensure personal information is accurate and used as per requirement.

Sharing Data:

• Prevent unauthorized access on data while sharing.
• Ensure secure mechanism and best practices while sharing data such as end-to-end encryption, double check permission settings, maintaining audit trail etc. 

Transferring Data:

• While transferring data, Secure Data Transfer (SDT) provides a way to securely read and write logical volume data between groups or clusters within a network.
• SDT uses OpenSSL software libraries with the TLS 1.2 protocol following both AES-256 and AES-128 bit key.
• Sharing personal information across borders can be sometimes complex.
• The secure transmission methods of data transmission are Email encryption, Website encryption, FTP and SFTP protocol use. 
• Encrypt data in motion, encrypt data at rest and authenticate from both sender and receiver end to verify.

Retaining Data:

• There shall be data retention policy documented. A data retention policy is a key step in managing and protecting an organization’s important data to avoid any civil, criminal and financial consequences and attract penalty that sometimes outcome from poor data management practices.
• Determine regulations that is applicable for you and your organization.
• Only retain personal information which have specified purpose.

Deleting Data:

• When you have your job done, delete the personal data. 
• Dispose the data or delete the data securely. 
• Use shredder in case of destroying the hard copy or paper documents. Use data wipe tools for securely erasing the data from hard drive. 
• Types of data deletion also includes overwriting, formatting, degaussing, physical destruction (drill or crush) etc. 

The data breaches consequences are rapidly growing day by day. So be aware and educate the own employees in the organization are also important.

Do you have any additional comments, feel free to post. 

Like and Subscribe!

Thanks!

-DR

Cyber Security Awareness Month October 2021

Cyber Security Awareness Month.

October month is celebrated as global cyber security awareness month and previously it was known as National cyber security month. 

In 2021, this year it is themed as “Do Your Part. #BeCyberSmart.”

Many organizations, firms spreading their awareness campaign around globe. So I wanted to be part of sharing some awareness. So in just a simple way I am sharing the awareness tips shared by DSCI. So be cyber safe. Avoid unknown links, think before click. 

Below are the few power tips on;

• Password Safety
• Phishing and Email Security
• How to maintain social media Hygiene
• Work from anywhere tips
• Web surfing security tips
• Portable media security tips

Source: DSCI

For more cyber security posts please refer my all posts from January 2021.

https://diptechlearn.blogspot.com/2021

Thanks

-DR. 

HTTP Requests

HTTP Requests

Whenever we visit a page on the web, our computer uses the Hypertext Transfer Protocol (HTTP) to downloads or fetches that page (HTML) from another computer or server somewhere on the Internet.

For example: http://abc456.com/index.html/79u0u 

In server client architecture, HTTP (Hypertext Transfer Protocol) is an application layer protocol used to communicate hypermedia documents between the devices, browsers. It is built over TCP/IP protocol and it works same as a request and response protocol between a client and server. 

There are methods used for HTTP as mentioned below;

• GET
• POST
• PUT
• HEAD
• DELETE
• PATCH
• OPTIONS

There are two methods which are used: HTTP GET and HTTP POST. 

The HTTP GET request method is used to request a resource from the server. Web browsers generally use HTTP GET and HTTP POST, but others such as desktop and mobile applications use many others forms. It is less secure and is easier to hack for script kiddies because data sent is part of the URL. So it's saved in browser history and server logs in plaintext.

HTTP POST is a method meant to send data to the server from an HTTP client. The HTTP POST method requests the web server accept the data enclosed in the body of the POST message. This is often used while submitting login or contact forms or uploading files and images to the server. The HTTP POST method is used to create or add a resource on the server. It becomes difficult in case of hacking because the parameters are not stored or saved in internet browser history or in web server logs.

GET method is visible to everyone as it will be displayed in the browser's address bar and has limits on the amount of information to send whereas POST method variables are not displayed in the URL.

The initial HTTP protocol was with a version of 0.9 with protocol supported by GET. Then version 1.0 released with supporting protocols GET, POST and HEAD. 

Later 1.1 version came with protocol supported by GET, POST, HEAD, OPTIONS, PUT, DELETE, TRACE, and CONNECT. 

HTTP 2.0 later came also known as HTTP 2 with supporting protocols such as GET, POST, HEAD, OPTIONS, PUT, DELETE, TRACE, CONNECT, and PATCH.

This is just a basic understanding. 

-DR