If there is one thing we all have learned from the pandemic is how accessible and scalable the internet has become for us to pursue all aspects of our lives. This monumental shift in the way we live our lives has increased the importance of privacy and security. With increased connectivity brings the need for greater awareness.
October is Cybersecurity Awareness Month. The IEEE Computer Society encourages everyone to take some time to reflect on the many new and persistent threats that challenge the computing industry and our everyday lives. Make sure your company and personal practices stay cyber secure. Bookmark this page as it will be updated daily with a countdown of new ideas, learning, and resources to keep you informed!
IEEE Computer Society’s Resources for Cybersecurity Awareness Month 2021
Biometrics are the traits of human body characteristics and behavior. From a cryptographic perspective, biometrics possess properties that make them suitable as an authentication factor; they cannot be forgotten like a password or pin, and they can’t be lost or stolen like a token. Biometrics can help address the inherent security weakness of cryptography in identifying a genuine user. However, biometrics themselves are limited and will be a permanent loss if compromised. Also, the privacy of biometrics are subject to the protection of legal regulations. Therefore, there is a paradigm shift towards privacy-preserving biometrics authentication technology, which has the potential to address these concerns. Continue reading.
The emerging field of privacy-preserving biometrics is attracting significant attention, as a paradigm that can address several of the key concerns in cryptographic authentication processes, whilst simultaneously addressing the issues of privacy. This paper contributes to the understanding of the field from following perspectives: (1) It proposes a novel and comprehensive taxonomy of privacy-preserving biometrics for the classification of the knowledge/existing literature in the field. (2) It provides a taxonomy-guided literature survey. (3) Open research problems/future works are discussed. (4) As the techniques used in privacy-preserving biometric authentication systems rely upon, or integrate with, general biometric matching techniques, a taxonomy and summary of the state-of-art biometrics matching techniques has also been developed. Such system-level knowledge organization will help produce excellent self-contained contents of reference materials for researchers in both the biometrics community and cryptography community who would otherwise have difficulty in understanding the relevant materials from the other community.
“Biometrics and Privacy-Preservation: How Do They Evolve” in IEEE Open Journal of the Computer Society, vol. 2, pp. 179-191, 2021.
Authors: Quang Nhat Tran, Benjamin P. Turnbull, Jiankun Hu
Industry and government agencies have been using encryption to protect data and other sensitive information in communications and technology networks for several decades. Only in the last 10 to 20 years have people started discussing the concept of “security built in.” This article looks to answer questions around the preparedness of Master’s students to “build security in” and further the field of security. Continue reading.
We present a review of European master of science programs in cybersecurity and reflect on the presence (and lack) of knowledge and skills needed to build security in.
“Are We Preparing Students to Build Security In? A Survey of European Cybersecurity in Higher Education Programs” in IEEE Security & Privacy, vol. 19, pp. 81-88, Jan-Feb 2021.
Authors: Nicola Dragoni, Alberto Lluch Lafuente, Fabio Massacci, Anders Schlichtkrull
The pandemic has seen a major shift in the workforce. More employees are accessing business-related emails and completing their work from their homes. This is increasing the opportunity for hackers and malware to take advantage of employees as they work from less secure home locations.
Continue reading to learn the five reasons to make cybersecurity a priority in your organization.
Susan Landau is Bridge Professor in Cyber Security and Policy at The Fletcher School and the School of Engineering, Department of Computer Science, Tufts University as well as Visiting Professor, Department of Computer Science, University College London. She works at the intersection of cybersecurity, national security, law, and policy.Our conversation with Prof. Landau ranges from the importance of technical communication on matters of risk to interactions and trade-offs among safety, privacy, and other public goods, as well as what it’s like to build a career in public policy, security, privacy, and technology.
Listen to episode 1 of Over the Rainbow podcast
Cyberattacks are on the rise. Last year Amazon Web Service was hit with a distributed denial of service (DDoS) attack with large amounts of data being stolen. We continue to see the number of cyberattacks increase as our post-covid world relies heavily on the internet to execute personal and professional aspects of our lives. Continue reading to learn how you can protect your private information.
The rapid proliferation of computing and communication systems with increasing computational power and connectivity into every sphere of modern life has brought security to the forefront of system design, test, and validation processes. The emergence of new application spaces for these systems in the internet-of-things (IoT) regime is creating new attack surfaces as well as new requirements for secure and trusted system operation. Additionally, the design, manufacturing, and distribution of microchips, PCB, as well as other electronic components are becoming more sophisticated and globally distributed with a number of potential security vulnerabilities. Therefore, hardware plays an increasingly important and integral role in system security with many emerging system and application vulnerabilities and defense mechanisms relating to hardware.
HOST aims to facilitate the rapid growth of hardware-based security research and development. HOST highlights new results in the area of hardware and system security. Relevant research topics include techniques, tools, design/test methods, architectures, circuits, and applications of secure hardware.
The 2021 HOST accepted papers have been announced. View here.
This episode is all about the lessons learned from a major cyberattack. Andy Powell of AP Moller Maersk discusses the 2017 Not Petya cyberattack and the company’s efforts to recover from it. Listen in to hear how digital forensics helped them to find the root causes and the introduction of “secure by design” as a result.
Could it be that both tv and digital ads are not as effective as we were led to believe by large empires like Facebook? This study explores the validity of such a question and the power blockchain systems have in tracing and transparency. Continue reading to learn more about Privacy-preserving blockchain systems.
Blockchain and smart contracts have seen significant application over the last decade, revolutionizing many industries, including cryptocurrency, finance and banking, and supply chain management. In many cases, however, the transparency provided potentially comes at the cost of privacy. Blockchain does have potential uses to increase privacy-preservation. This paper outlines the current state of privacy preservation utilising Blockchain and Smart Contracts, as applied to a number of fields and problem domains. It provides a background of blockchain, outlines the challenges in blockchain as they relate to privacy, and then classifies into areas in which this paradigm can be applied to increase or protect privacy. These areas are cryptocurrency, data management and storage, e-voting, the Internet of Things, and smart agriculture. This work then proposes PPSAF, a new privacy-preserving framework designed explicitly for the issues that are present in smart agriculture. Finally, this work outlines future directions of research in areas combining future technologies, privacy-preservation and blockchain.
“A Survey on Privacy-Preserving Blockchain Systems (PPBS) and a Novel PPBS-Based Framework for Smart Agriculture” in IEEE Open Journal of the Computer Society, vol. 2, pp. 72-84, 2021.
Authors: Quang Nhat Tran, Benjamin P. Turnbull, Hao-Tian Wu, A.J.S. De Silva, Katherine Kormusheva, Jiankun Hu
Because of its proven benefits, container technology is widely becoming adopted by companies like Uber and Netflix for the rapid development of microservice architecture. As a lightweight alternative to the virtual machine (VM) in conventional cloud infrastructures, containers have shorter startup time and lower virtualization overhead. Moreover, containers also provide a consistent and portable software environment, which can make cloud services ignore the difference between platforms to easily run and scale anywhere. Continue reading to learn more about this framework for Dynamic Security Evaluation Systems.
Due to the lightweight features, the combination of container technology and microservice architecture makes a container-based cloud environment more efficient and agile than a VM-based cloud environment. However, it also greatly amplifies the dynamism and complexity of the cloud environment and increases the uncertainty of security issues in the system concurrently. In this case, the effectiveness of defense mechanisms with fixed strategies would fluctuate as the updates occur in cloud environments. We refer to this problem as the effectiveness drift problem of defense mechanisms, which is particularly acute in the proactive defense mechanisms, such as moving target defense (MTD). To tackle this problem, we present DSEOM, a framework that can automatically perceive updates of container-based cloud environments, rapidly evaluate the effectiveness of MTD and dynamically optimize MTD strategies. Specifically, we establish a multi-dimensional attack graphs model to formalize various complex attack scenarios. Combining this model, we introduce the concept of betweenness centrality to effectively evaluate and optimize the implementation strategies of MTD. In addition, we present a series of security and performance metrics to quantify the effectiveness of MTD strategies in DSEOM. And we conduct extensive experiments to illustrate the existence of the effectiveness drift problem and demonstrate the usability and scalability of DSEOM.
“DSEOM: A Framework for Dynamic Security Evaluation and Optimization of MTD in Container-Based Cloud” in IEEE Transactions on Dependable and Secure Computing, vol. 18, pp. 1125-1136, May-June 2021.
Authors: Hai Jin, Zhi Li, Deqing Zou, Bin Yuan
Few people are strangers to malware thanks in large part to anti-virus software like Norton. Cyberattacks are a threat to everyone. Hackers continue to innovate and find new ways to steal information from people and businesses.
One new method hackers are implementing is fileless malware. This new form of attack has increased by 265% in the last two years. Continue reading to learn about fileless malware and how to protect your business.
The significant growth in the number of users with mobile phones as well as the adoption of key enabling technologies like cloud computing has led to the creation of an entire tracking ecosystem that could facilitate the use of pervasive surveillance methods. However, this development also brings serious privacy concerns as current governance and regulatory frameworks are lagging behind these technological advancements. Continue reading “Privacy in a Time of COVID-19: How Concerned Are You?”
We introduce a study examining people’s privacy concerns during COVID-19 and reflect on people’s willingness to share their personal data in the interest of controlling the spread of the virus and saving lives.
“Privacy in a Time of COVID-19: How Concerned Are You?” in IEEE Security & Privacy, vol. 19, pp. 26-35, September-October 2021.
Author: Ramona Trestian, Guodong Xie, Pintu Lohar, Edoardo Celeste, Malika Bendechache, Rob Brennan, Evgeniia Jayasekera, Irina Tal
Building security into machine learning systems from a security engineering perspective is of interest to the Berryville Institute of Machine Learning. This means understanding how machine learning systems are designed for security and finding vulnerabilities. Continue reading “The Top 10 Risks of Machine Learning Security.”
Our recent architectural risk analysis of machine learning systems identified 78 particular risks associated with nine specific components found in most machine learning systems. In this article, we describe and discuss the 10 most important security risks of those 78.
“The Top 10 Risks of Machine Learning Security” in Computer, vol. 53, pp. 57-61, June 2020.
Author: Gary McGraw, Richie Bonett, Victor Shepardson, Harold Figueroa
In episode 453 of SE Radio, CTO of Verica, Aaron Rinehart, joins host Justin Beyer to discuss how security chaos engineering(SCE) can be used to increase security in applications architecture. They will be covering how SCE fits into the overall chaos engineering discipline and compare it to traditional security approaches.
Listen to SE Radio episode 453
UAVs are currently being used in city security, an inspection of power grids, fire control in tall buildings, base stations, and ships. In addition, they are also being used in logistics, emergency response, medical transport, and scientific research. Because of the potential of its many applications, UAVs are able to connect to 5G UAV airborne communication terminals. These terminals can collect and transmit data over these 5G networks to control beyond-the-line-of-sight (BLOS)flight of UAVs.
Continue reading “Trust Based Scheme to Protect 5G UAV Communication Networks” to dive into the proposed trust scheme for 5G UAV communications system.
“A Trust Based Scheme to Protect 5G UAV Communication Networks” in IEEE Open Journal of the Computer Society, vol. 2, pp. 300-307, 2021.
Author: Yu Su
This episode is joined by Rey Bango, Senior Director of Developer and Security Relations at Veracode is a discussion around the topic of secure code. Highlights of the discussion include the need for secure coding, barriers to adoption, and how training can help teams adopt secure coding practices.
Listen to Episode 475 to join the conversation around documentation and verifying security early and regularly.
Presented by Nancy Mead, Fellow of the Software Engineering Institute and adjunct professor of Software Engineering at Carnegie Mellon, and Daniel Shoemaker, professor and graduate program director at the University of Detroit Mercy.
Software engineering education often does not include methods to ensure code in commercial off-the-shelf (COTS) products have not been compromised during the sourcing process. This is a free webinar discussing the challenges and solutions for the integration of secure supply chain risk management in development projects.
Watch this webinar on-demand.
Mobile apps have revolutionized the way we interact with businesses and content in general. However, we don’t always know if what we are downloading is secure. Code signing certificates provide consumers with peace of mind by providing credentials from the software developer that the application they are downloading has not been tampered with. Learn more about code signing certificates and how they work. Continue reading.
The average app user and website peruser has come across hundreds of privacy policies. So much so that you probably select “Agree” without giving much thought to what type of information these sites are collecting. However, with the rise of malicious software and data breaches, one must stop and ask themself, “are these companies truly holding to their privacy policies?” This paper carried out a study on privacy policies using an app called PPChecker. Results show a staggering amount of mobile apps have questionable privacy policies. Continue reading to learn about the 5 identified problem areas in this study.
“PPChecker: Towards Accessessing the Trustworthiness of Android Apps’ Privacy Policies” in IEEE Transactions on Software Engineering, vol. 47, pp. 221-242, Feb 2021.
Authors: Le Yu, Xiapu Luo, Jiachi Cheng, Hao Zhou, Tao Zhang, Henry Chang, Hareton K. N. Leung
9. How AI can help prevent Cyber Attacks in the eCommerce Sector
Technology has been crucial in everyone’s life while navigating the pandemic. From home, it has enabled education, work, and daily tasks like shopping. This means a large amount of personal information is being shared and hackers are taking notice. The amount of hackers using fileless malware is increasing at an extraordinary rate. Research is being conducted on how to best patch the loopholes currently being exploited. Continue reading to learn how AI is combating fileless malware.
8. IEEE Secure Development Conference 18-20 Oct, Fully Virtual
SecDev is a venue for presenting ideas, research, and experience about how to develop secure systems. It focuses on theory, techniques, and tools to build security into existing and new computing systems.
The goal of SecDev is to encourage and disseminate ideas for secure system development among academia, industry, and government. It aims to bridge the gap between constructive security research and practice and to enable the real-world impact of security research in the long run. Developers have valuable experiences and ideas that can inform academic research, and researchers have concepts, studies, and even code and tools that could benefit developers.
View Conference Program
Register for this event before 18 October 2021
7. How to Check Trusted Root Certificates Installed on an Android Device
Mobile applications have revolutionized the way we use and interact with our phones. It has even had a tremendous impact on how we interact with businesses. A drawback to incorporating mobile phones and applications into our lives is an increased surface area for attacks to occur. Hackers are exploiting vulnerabilities in our mobile devices to gain access to sensitive information and pieces of our lives. Implementing an SSL certificate on a mobile phone is a vital security protocol every Android device should have. Continue reading to learn how to check and install a code signing certificate on your mobile device.
6. A Novel Intrusion Detection Model for Detecting Known and Innovative Cyberattacks Using Convolutional Neural Network
The amount of applications streaming services to users is exploding. This type of service requires minimal installation and demands less computing power on the user’s device because these applications are operating from a cloud. This provides many advantages for both companies and end-users, developing more streaming products for a customer base that doesn’t have access to the latest tech devices. However, the extensive data exchange creates more opportunities for cyberattacks.
As a tremendous amount of service is being streamed online to their users along with massive digital privacy information transmitted in recent years, the internet has become the backbone of most people’s everyday workflow. The extending usage of the internet, however, also expands the attack surface for cyberattacks. If no effective protection mechanism is implemented, the internet will only be very vulnerable and this will raise the risk of data getting leaked or hacked. The focus of this paper is to propose an Intrusion Detection System (IDS) based on the Convolutional Neural Network (CNN) to reinforce the security of the internet. The proposed IDS model is aimed at detecting network intrusions by classifying all the packet traffic in the network as benign or malicious classes. The Canadian Institute for Cybersecurity Intrusion Detection System (CICIDS2017) dataset has been used to train and validate the proposed model. The model has been evaluated in terms of the overall accuracy, attack detection rate, false alarm rate, and training overhead. A comparative study of the proposed model’s performance against nine other well-known classifiers has been presented. Continue Reading.
“A Novel Intrusion Detection Model for Detecting Known and Innovative Cyberattacks Using Convolutional Neural Network” in IEEE Open Journal of the Computer Society, vol. 2, pp. 14-25, 2021.
Authors:Samson Ho, Saleh Al Jufout, Khalil Dajani, Mohammad Mozumbar
5. Workshop on 5G Security: Current Trends, Challenges, and New Enablers
The world has been busy upgrading their networks and making 5G more available to more people. Companies like OPPO have already begun research and planning for 6G, but there are still 5G trends and challenges waiting to unfold. 5G World Forum is the world’s flagship event of IEEE Future Networks Initiative taking place 13 – 15 October 2021. Each year the conference holds multiple workshops and sends out calls for papers.
2021 Workshops and Special Sessions:
The 5G long term vision is to turn the network into an energy-efficient distributed computer that enables agile and dynamic creation, move and suppression of processes and services in response to changing customer demands and information flows, and supports interaction with humans through new communication modes, such as gestures, facial expressions, sound, haptics, etc. To make this vision a reality, a shift towards a full automation of network and service management and operation is a necessity.
However, a major challenge facing full automation is the protection of the network and system assets (i.e., services, data and network infrastructure) against potential cybersecurity risks introduced by the unprecedented evolving 5G threat landscape. Recent advances in Blockchain technology and Artificial Intelligence have opened up new opportunities in developing robust and intelligent security solutions. The fusion of 5G, Blockchain, Security and AI is anticipated to be the core technologies to realise digital transformation in the next decade.
Although work on security has been engaged throughout the successive phases of 5G-PPP Programme (e.g., 5G-ENSURE, CHARISMA, NRG-5) and some results were achieved, if not already adopted by Standards Developing Organizations (SDOs) in the field (e.g. 3GPP), addressing 5G security concerns is far from being completely resolved. Existing solutions suffer from a number of limitations.
The workshop is aimed at discussing the emerging 5G security in a holistic manner to understand the challenges, opportunities & standardization imperatives and define the way forward and immediate next steps to ensure ubiquitous adoption of 5G globally.
Register for this event before 10 October 2021.
4. The Challenges of Software Cybersecurity Certification [Building Security In]
The European Union has been leading the privacy and security fight with the introduction of the General Data Protection Regulation (GDPR) in 2016. Most recently, the Cybersecurity Act (CSA) established a certification framework for products and services. This mandate is meant to end the fragmentation of the previous cybersecurity certification schemes.
In 2019, the new European Union (EU) cybersecurity regulation “Cybersecurity Act” (“CSA”)1 entered into force to create a common framework for the certification of any information and communication technology (ICT) system, including products, services, and processes. The main purpose of this framework is to reduce the current fragmentation of cybersecurity certification schemes2 as well as to increase end-users? trust in a hyperconnected society3 by fostering a mutual recognition of certified ICT components in any EU country. Continue Reading
“Challenges of Software Cybersecurity Certification [Building Security In]” in IEEE Security & Privacy, vol. 19, pp. 99-102, January 2021.
Authors: Jose L. Hernandez-Ramos, Sara N. Mattheu, Antonio Skarmeta
3. Scheme Flooding Vulnerability – A Threat to Online Privacy
Think back to a time when you were engaged in a heated debate and you were sure your friend misstated facts. You undoubtedly took to the internet to do a quick Google search to verify the veracity of their statement. Our lives are filled with moments requiring us to search for answers to our momentary needs. It is this interconnectedness with technology – and browsers – that create opportunities to become the victim of a cybercrime.
Browser privacy has largely been relegated to popup blockers and opting out of cookies, yet there are still massive vulnerabilities that have been neglected. This is why we are seeing an increase in scheme flooding vulnerabilities as the reason for data breaches and exploits.
Continue reading to learn more about scheme flooding vulnerability.
2. Pandemic Parallels: What Can Cybersecurity Learn From COVID-19?
Cybersecurity and COVID-19 share many characteristics, which make them difficult to mitigate. While there are differences between the two, with the effects of the pandemic being more severe, there are still many parallels that can inform future decisions.
The COVID-19 pandemic has demonstrated society’s dependence on information technology, including the need for adequate cybersecurity to protect the remote workforce and the technologies we are using. Beyond this direct linkage, there are further parallels that can be drawn between COVID-19 and cybersecurity threats. While acknowledging that COVID-19 impacts may be more extreme than those of cybersecurity, this article explores the similarities, especially the challenges inherent in how people manage risk and respond to these threats. A better understanding of the parallels can inform our future approach to tackling the promotion of cybersecurity and response to cybersecurity threats. Continue Reading.
“Pandemic Parallels: What Can Cybersecurity Learn From COVID-19?” in IEEE Computer, vol. 54, pp. 68-72, March 2021.
Authors: Steven Furnell, Julie Haney, Mary Theofanos
1. Global Connected Healthcare Cybersecurity Workshop Series
Technologies like artificial intelligence, virtual reality, 3D imaging, robotics, and nanotechnology are changing the face of healthcare before our eyes. Embracing technology is helping healthcare workers to provide better care for their patients.
The increased reliance on technology requires added attention to the cybersecurity threats facing the healthcare industry. The Global Connected Healthcare Cybersecurity Virtual Workshop Series is a gathering of leaders in healthcare, technology, and policy. This workshop series is being presented by IEEE SA, IEEE P2933 Working Group, and the Northeast Big Data Innovation Hub of Columbia University, with the goal to develop a mutual understanding and recommendations for standards to improve connected healthcare security. Topics that will explore challenges and opportunities in connected healthcare security, privacy, ethics, trust, and identity, including data and device validation and interoperability.
The resulting recommendations of these workshops will include an Integrated Systems Design approach, leveraging the TIPPS framework being developed by IEEE working groups to enhance Trust, Identity, Privacy, Protection, Safety, and Security of clinical IoT and connected healthcare systems.
Learn more and register here.