Every year, technology penetrates more aspects of our lives and with this, important questions arise on how our data is being used and how secure it is stored. Let us pause this month to celebrate National Cybersecurity Awareness Month by recognizing and addressing these challenges.
The IEEE Computer Society brings you daily tips and resources to keep you informed and challenges you to evaluate new technology through the lens of CyberSecurity. Check back daily for new content and we invite you to sign up for our newsletter to ensure you don’t miss out on our new content.
IEEE Computer Society’s Resources for Cybersecurity Awareness Month 2020
31. Ethics in Information Security
We begin with a throwback to Spring 2017 when the global community was forced, by Wikileaks, to face the reality that intelligence agencies were able to use vulnerabilities in popular mobile operating systems, iOS and Android, to access private data without the public’s knowledge. Our editors of IEEE Security & Privacy Magazine could not ignore the implications on ethics. Their message is as true today as it was then and challenges us to continue asking the difficult questions.
Our society is undergoing pervasive digitalization. It’s not an understatement to say that every facet of human endeavor is being profoundly changed by computing and digital technologies. Naturally, such sweeping changes also bring forth ethical issues that computing professionals must deal with. But are they equipped to deal with them?
Ethical concerns in computing are widely recognized. For example, the recent upsurge in the popularity of applying machine learning techniques to various problems has raised several ethical questions. Biases inherent in training data can render these systems unfair in their decisions (for example, basing hiring decisions on factors, such as distance from workplace, that correlate closely with past performance might also inadvertently correlate with other factors like race1). Identifying such sources of unfairness and making machine learning systems accountable are active research topics. Similarly, the rise of autonomous systems has led to questions such as how to deal with the moral aspects of autonomous decision making and how societies can respond to people whose professions might be rendered obsolete by the deployment of such systems. Continue reading
30. OWASP Mobile Application Security Verification Standard (MASVS) and Testing Guide (MSTG)
Developing mobile applications come with their own unique challenges in data security. With these, we would like to introduce you to the Open Web Application Security Project (OWASP) which is a nonprofit foundation focused on improving software security. Sven Schleier and Jeroen Willemsen from the foundation were able to join us for a recent episode of Software Engineering Radio. Take an hour out of your day to hear the discussion.
Host Justin Beyer spoke with Schleier and Willemsen on webviews, certificate pinning, anti-reverse engineering technology, and the OWASP verification standard and testing guide. Specifically, they discussed how you should approach implementing any of the controls enumerated in the verification standard based on your threat model. They also discussed when you should implement certificate pinning and how you should approach implementing web views in your mobile applications. To close out the show, they discussed the Hybrid App guidance in the mobile security testing guide and the need for community contribution to it. They also discussed how the MASVS, MSTG, and Hacking Playground all can fit together to increase developer security knowledge as well as increase the security of your mobile applications to appropriate levels.
Listen to Episode 427 of SE Radio: Sven Schleier and Jeroen Willemsen on Mobile Application Security
29. Opinion: What really is cybersecurity?
Jeffrey Voas, author and innovator from the US National Institute of Standards and Technology (NIST) poses the question: What really is cybersecurity?
The bottom line here is that “umbrella” terms like “cybersecurity” do not lead researchers, practitioners, and the general public into any real understanding of the fundamental issues related to malicious behavior and malicious intent. Refreshing terms from time to time is usually futile and frustrating, but I think for this one it might be timely and beneficial. Read More.
28. Tip: Use multi-factor authentication.
With Covid-19 driving many of us to work from home, we must remember to keep the same level of data security practices in mind. Using multi-factor authentication (MFA) adds an extra layer of security to protect sensitive data, making it more difficult for malicious actors to impersonate you. Many security attacks, in fact, specifically target passwords knowing many people do not apply them. Using MFA, wherever possible, ensures that these attackers cannot get very far, even if they succeed in obtaining your password. You would still have your second and maybe third “factor” of authentication, such as a security token, your mobile phone, your fingerprint, or your voice to keep your systems secure.
27. Continued Learning: Hot Topics in CyberSecurity
As cybersecurity professionals, it goes without saying, that continued learning is a vital part of the role to be able to successfully perform your duties. Providing practical continued learning resources is a vital part of IEEE Computer Society’s goals and we invite you to attend our all-day event: Hot Topics in CyberSecurity. The event is designed for busy professionals at all levels. If you’re unable to attend the live event, we recommend signing up to ensure you get the recordings sent to your inbox.
IEEE Computer Society DVP-SYP Virtual Conference on
Hot Topics in Cybersecurity
16- 17 October 2020
26. Blockchain, Cryptocurrency, and Cybersecurity
Let’s get down to business. Any member of IEEE Computer Society knows that emerging technology comes frequently and swiftly can alter an entire industry. Chief Information Officers, Product Managers, Engineers, Investors, and the like should all take into account the benefits and potential risks these emerging technologies can present. Earlier this year, Professor Stephen J. Andriole from Villanova University laid out the fundamental questions that need to be evaluated when new technologies emerge. In IT Professional Magazine, Andriole asks:
How should managers and executives assess the potential of emerging technologies? First, they should understand the technologies on the list. Next, they should identify the business models and processes to which they might be leveraged. They should understand how mature the technologies are and should “score” the technologies according to their pilot potential. Finally, they should find pilot sponsors and develop pilot project plans with their sponsors. Continue Reading.
25. Cybersecurity in Manufacturing: Threat Modeling and Solutions
Whether you’re working in the manufacturing industry or are curious of what cybersecurity solutions the industry has to offer, we would like to share New York University’s (NYU) Panel Discussion on Security on Additive Manufacturing Design, Materials, and Sensor-Based Solutions. Prepare and defend against the cybersecurity risks associated with Digital manufacturing.
24. API Security with OAuth 2
API authentication techniques are not going anywhere any time soon. Get up to date on new standards and best practices when using OAuth 2.0 from Justin Richer, one of the lead authors on the topic.
Justin Richer, lead author of the OAuth2 In Action book and editor of OAuth extensions RFC 7591, 7592, and 7662, discusses the key technical features of the OAuth 2.0, the industry-standard protocol for authorization and what makes this the best choice for authorizing access to API resources. Host Gavin Henry spoke with Richer about browser based OAuth2, types of tokens, OpenID Connect, PKCE, JSON Web Token pros and cons, where to store them, client secrets, Single Page Apps, Mobile Apps, current best practices, OAuth.XYZ, HEART, MITREid, token validation, dynamic client registration, the decision factors of the various types of authorization grants to use and what is next for OAuth.
23. Cyber-Physical Security Through Information Flow
We continue going deeper into specific aspects of CyberSecurity. Here, we explore how to keep Cyber-Physical systems secure. That is, systems that are primarily physical but have a strong digital component such as autonomous cars, smart home appliances, aircraft navigation systems, more complicated chemical process systems and other Internet of Things (IoT) applications. How do we keep the flow of information secure?
Dr. Bruce McMillin, Professor of Computer Science and its interim chair, director of the Center for Information Assurance and co-director of the Center for Smart Living at the Missouri University of Science and Technology, sat with us earlier this year to discuss how these systems need to be evaluated and made secure.
22. Demand for Cybersecurity Experts Is High as Cloud Computing, Smartphones, Big Data, and the Internet of Things Explodes
Much like all humans need water to survive, all computing technology needs security measures to survive. Whether you’re a recent graduate or a professional looking to make your next career move, it’s good to explore how diverse and widespread cybersecurity is as a profession. Check out our CyberSecurity Roundtable with notable names like Massimo Felici, Kate Netkachova, Dan Haagman and David Kotz.
21. Tip: Prevent & Protect your data from ransomware
Prevent ransomware infections.
- Use and maintain preventative software programs. Install antivirus software, firewalls, and email filters—and keep them updated—to reduce malicious network traffic.
- Update and patch your computer. Ensure your applications and operating systems (OSs) have been updated with the latest patches.
- Inform yourself. Keep yourself informed about recent cybersecurity threats and up to date on ransomware techniques.
Protect your data and networks from ransomware.
To guard against ransomware, perform frequent backups of your system and other important files, and verify them regularly. Your best move is to store your backups on an external hard drive or another device that cannot be accessed from a network. Lastly, companies should provide cybersecurity awareness training to their personnel.
20. Cybersecurity Awareness in IoT Threats
As professionals in the computer science industry, we are regularly made aware of the malicious actors looking to access our devices. In honor of Cybersecurity Awareness month, we need to ask ourselves: How do we make the public aware of these threats?
Professor, Consultant, and IEEE CLAS Computer Society Chair, Mehrdad Sharbaf lays out the concern clearly and makes a few notable suggestions on we can approach this.
By 2020, at least 50 billion more devices will be-come smart via embedded processors. The impact of such Internet of Things (IoT) on our society will be extraordinary. The only thing certain about that number is growth exponentially. However, more connections appear to generate more vulnerabilities. Continue Reading.
19. About Hardware Security
For those disappointed this past Spring when the hardware security event of the year, HOST 2020, was postponed, we have great news, the virtual event is just a few months away! A lineup of speakers will present the latest research and development in hardware security. Sign up for Alerts to stay up to date with the virtual event.
18. Security and Privacy in Machine Learning
Katharine Jarmul, data scientist and founder of Kjamistan raises interesting questions regarding machine learning and the security concerns resolving around it.
Host Justin Beyer spoke with Jarmul about attacks that can be leveraged against data pipelines and machine learning models; attack types – adversarial example, model inference, deanonymization; and how they can be utilized to manipulate model outcomes; the dangers of Machine Learning as a Service (MLaaS) platforms; privacy concerns surrounding the use and collection of data; securing data and APIs; Privacy Preserving Machine Learning: Federated Learning, and Encrypted Learning through techniques such as Homomorphic Encryption and Secure Multi-Party Computation.
17. Encrypting Direct Emails
Electronic communication through email, instant message, video calls and the like have penetrated our lives to a daily basis. When we communicate sensitive information, however, we understand that these most common forms of communication are not the safest. Eric Osterweil, Computer Science, George Mason University, Fairfax, poses the question “Why?”
Why can’t we send encrypted email (secure, private correspondence that even our mail providers can’t read)? Why do our health-care providers require us to use secure portals to correspond with us instead of directly emailing us? Why are messaging apps the only way to send encrypted messages directly to friends, and why can’t we send private messages without agreeing to using a single platform (WhatsApp, Signal, and so on)? Our cybersecurity tools have not evolved to offer these services, but why? Continue Reading.
16. Bonus Tip: The 7 Most Important Employee Habits to Establish for Higher Cybersecurity
As a business owner, you can invest in the latest and greatest technology to keep your data safe and your systems secure. You can employ VPNs, firewalls, and end-to-end encryption to keep everything on lockdown. But no matter how much time or money you invest, the security of your organization is still going to be in the hands of your employees. Read more for the seven important habits your employees should have.
15. The Quest for Data Transparency
We began this month discussing the importance of ethics in the use and security of data. To properly be able to discuss these the community relied heavily on full data transparency on how and where that data is being collected and used. Elisa Bertino, from Purdue University, argues that the definition of data transparency must go further.
Past and recent cases of data misuses and data breaches, and the central role that data plays today for artificial intelligence (AI) systems, are pushing the notion of data transparency at the forefront in several contexts. However, data transparency is still patchy and does not even have a comprehensive definition; rather, there are different definitions. Continue Reading.
*Elisa was recently featured in our Women in Stem Interview Series. Read about her journey to success.
14. Disruption, Distortion and Deterioration
2020 may nearly be over, but security threats are here to stay for years to come. Cybersecurity attacks continue to expand and affect businesses in new ways: Disruption, Distortion and Deterioration. Earlier this year, we published five (5) of the most important threats to be aware of in the context of these three new types of attacks. Read more about these types of attacks and get tips for your team to ensure your business is protected.
13. Tip: Secure your company’s CCTV
For IT management, few issues are more challenging or relevant than cybersecurity. And when it comes to CCTV and other forms of surveillance video footage, it’s important to implement a forward-thinking security plan to prevent confidential information and data from ending up in the wrong hands.
12. Accredited Undergraduate Cybersecurity Degrees: Four Approaches
Cybersecurity professionals are in high demand. As a result, universities are responding by providing full four-year cybersecurity programs accredited by the Accreditation Board for Engineering and Technology, Inc. (ABET). If you or someone in your circle is considering one of these programs, we encourage you to get the breakdown. Computer Magazine published the 4 approaches these programs take.
11. Dealing with Internal Threats
Security professionals understand that threats to sensitive data can present themselves by internal actors and, sometimes, those internal threats can lead to much more serious repercussions compared to external threats. Employees and other internal actors have the potential to become disgruntled or turn malicious when we least expect them to. Setting aside the complicated issue of whistleblowers, in the case of Edward Snowden’s actions in June 2013, we can view this from the perspective of a case where an entity’s trust was violated and data was breached by an employee who had free access to some of the NSA’s most sensitive data. Let us explore how to best protect our data against potentially disgruntled or malicious employees.
10. Current State of Cybersecurity in Smartphones
Everyday we rely on our smartphones to stay connected to loved ones, friends, work, the world. This has made smartphones a prime target for malicious actors. Some have even gone so far as to switch away from smartphones to ensure greater security. Tushar Pandey from B.M.S. Institute of Technology and Management, Bangalore, India, offers some insights into how we can continue using our smartphones safely.
9. The best laid plans or lack thereof: Security decision-making of different stakeholder groups
Making business decisions in 2020 now require considerations from various stakeholders with different professional backgrounds. In this article, the Bristol Cyber Security Group tests whether security experts truly live up to their name and give effective strategies in the workplace.
Cyber security requirements are influenced by the priorities and decisions of a range of stakeholders. Board members and CISOs determine strategic priorities. Managers have responsibility for resource allocation and project management. Legal professionals concern themselves with regulatory compliance. Little is understood about how the security decision-making approaches of these different stakeholders contrast, and if particular groups of stakeholders have a better appreciation of security requirements during decision-making. Are risk analysts better decision makers than CISOs Do security experts exhibit more effective strategies than board members? Continue Reading.
8. DNS Security
Domain Name System (DNS) attacks are common and have made their way to even include threats coming from social media. Do you know what they are and how to protect your systems from these threats? Bert Hubert, creator of PowerDNS sat down with us recently for our Software Engineering Radio podcast to discuss all aspects of DNS security.
Listen to Episode 404: Bert Hubert on DNS Security
7. Pro Tip: Train your employees to recognize phishing attempts
Cyber attackers use phishing techniques such as spam emails and phone calls to find out information about employees, obtain their credentials, or infect systems with malware.
Your basic defense involves getting a properly configured spam filter and ensuring that the most obvious spam is blocked. Educate your employees about handling popular phishing techniques.
- Clicking a malicious link, or opening an attachment can infect your system with malware, a trojan, or zero-day vulnerability exploit. This often leads to a ransomware attack. In fact, 90% of ransomware attacks originate from phishing attempts.
- Don’t open email from people you don’t know.
- Know which links are safe and which are not. Hover over a link to discover where it directs to.
- Be suspicious of the emails sent to you in general. Look to see where it came from and if there are grammatical errors.
- Malicious links can come from friends who have been infected too. So, be extra careful.
6. Security & Privacy
Winner of the 2020 APEX Award of Excellence, Security & Privacy magazine is one of IEEE Computer Society’s most popular magazines for professionals. Whether you work in cybersecurity or are a business owner wanting to stay up to date with the latest threats and security technology, we encourage you to subscribe. Read the latest issue on hardware-resisted security.
*Don’t forget, Computer Society members get a discount!
5. Security or Privacy: Can You Have Both?
Cybersecurity has established itself as a vital part of all software development from creating the next smart home device to establishing a new cryptocurrency and everything in between. Because of this, one of our flagship magazines, Computer, has found itself obligated to bring it’s readers a slew of content on Cybersecurity. Here, we present their contested virtual round table.
To draw the attention of prospective panelists, we posed a highly charged teaser question. Is the relationship between the two terms best described as 1) security or privacy or 2) security and privacy; that is, can you have both? Our tactic had the intended effect. We received feedback on the title of the roundtable even before we made the questions available to the panelists. Continue Reading.
4. One Giant Leap for Computer Security
For a more in-depth look at how security measures can be (and likely, should be) implemented in the foundation of technology, we present you the recommendations MIT professors: Hamed Okhravi, Nathan Burow, Richard Skowyra, Bryan C. Ward, Samuel Jero, Roger Kazan, and Howard Shrobe.
Today’s computer systems trace their roots to an era of trusted users and highly constrained hardware; thus, their designs fundamentally emphasize performance and discount security. This article presents a vision for how small steps using existing technologies can be combined into one giant leap for computer security. Continue Reading.
3. BONUS TIP: While biochips are here to stay, know the security risks and rewards.
Now the ante is being raised as microchip implants are starting to be used in humans more frequently not only as a health tool but in the business environment as well.
2. Top Cybersecurity Issues Faced by Organizations amidst the Pandemic
One way or another, the consequences of the global pandemic with Covid-19 have changed all of our lives. Unfortunately, bad actors have aimed to take advantage of the current situation and increased cybersecurity attacks. Read our article on the Top CyberSecurity Issues Faced by Organizations amidst the Pandemic.
As the COVID-19 pandemic continues to encumber the healthcare system, the global economy, and the well-being of every individual, it is also having a strong impact on the cybersecurity of businesses and individuals. As one would expect, cybercriminals are finding ways to capitalize on the burgeoning levels of anxiety and fear resulting from the pandemic.Continue Reading.
1. Cyberthreats in 2025
We end Cybersecurity month with a vision of the future; specifically, 2025. Earlier this year, Computer Magazine published another virtual round table with 6 experts in cybersecurity to discuss what we can expect and what we must prepare for in the coming years.
The six experts are:
- Jon Brickey – Mastercard
- Simson Garfinkel – U.S. Census Bureau
- Gary McGraw – Berryville Institute of Machine Learning
- Latif Ladid – Université du Luxembourg
- Bruce Potter – shmoo.com
- John Viega – Capsule8