| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:iot-open:security_and_privacy_in_iot_ume:iot_security [2018/03/01 13:03] – kap2fox | en:iot-open:security_and_privacy_in_iot_ume:iot_security [2020/07/20 12:00] (current) – external edit 127.0.0.1 |
|---|
| ===== IoT security and privacy===== | ====== ====== |
| | <box #d04a25></box> |
| | <box #d04a25></box> |
| | ====== IoT Security and Privacy====== |
| | <box #d04a25></box> |
| | <box #d04a25></box> |
| |
| **// Concept of information security and its importance. //** | **// Concept of information security and its importance. //** |
| |
| There are two approaches to determination of the concept "information security": | There are two approaches to the determination of the concept of “information security”: |
| |
| **1. Information security** — a status of safety of information resources and protection of legitimate rights of the personality and society in the information sphere. | - **Information security** – the status of the safety of information resources and the protection of the legitimate rights of the personality and society in the information sphere. |
| | - **Information security** – is a process of support for confidentiality, integrity and accessibility of information. |
| **2. Information security** is a process of support of confidentiality, integrity and accessibility of information. | |
| |
| **Confidentiality**: Ensuring access to information only to authorized users. | **Confidentiality** – ensuring access to information only to authorised users. |
| |
| **Integrity**: Support of reliability and completeness of information and methods of its processing. | **Integrity** – support of reliability and completeness of information and processing methods. |
| | |
| **Accessibility**: Ensuring access to information and related assets of authorized users as required. | **Accessibility** – ensuring access to information and related assets of authorised users as required. |
| | |
| The properties given above are fundamental bases in the sphere of protection and safety of information. | The properties given above are fundamental bases in the sphere of protection and safety of information. |
| | |
| **Safety of information** — a status of security of data in case of which their confidentiality, accessibility and integrity are provided. | **Safety of information** – a status of the security of data in the case of which their confidentiality, accessibility and integrity are provided. |
| |
| Safety of information is defined by absence of the unacceptable risk connected to information leakage on technical channels, unauthorized and inadvertent impacts on data and (or) on other resources of an automated information system used in automated system. ((R. Minerva, and A. Biru, "Towards a Definition of the Internet of Things," in IEEE IoT Initiative White Paper)) | Safety of information is defined by the absence of the unacceptable risk connected to information leakage on technical channels, unauthorised and inadvertent impacts on data and (or) on other resources of an automated information system used in the automated system ((R. Minerva, and A. Biru, "Towards a Definition of the Internet of Things," in IEEE IoT Initiative White Paper)). |
| |
| To understand in what activities for support of information security consist it is necessary to understand value of three major concepts clearly: risk, threat and vulnerability. | To understand what activities for the support of information security consist of, it is necessary to understand the value of three major concepts clearly: risk, threat and vulnerability. |
| | |
| **The risk of information security** - a possibility that this threat will be able to use vulnerability of an asset or group of assets and by that will cause damage to the organization. | **The risk of information security** – a possibility that this threat will be able to use the vulnerability of an asset or group of assets and by that will cause damage to the organisation. |
| | |
| **The threat** is a potential or real-life danger of making of any act (actions or inactivities) directed against the subject to protection (information resources) causing damage to the owner, owner or user, which is shown it is in danger of distortion and losses of information. | **The threat** – a potential or real-life danger of making of any act (actions or inactivities) directed against the subject to protection (information resources) causing damage to the owner or user, which is shown it is in danger of distortion and losses of information. |
| |
| **Vulnerability** is a shortcoming, the error in implementation which does possible the unforeseen impact on system attracting failures in system operation is more often. Vulnerabilities are classified by a set of signs. One of the most important signs — harm which can be caused to system, using vulnerability. Most often understand the specific mistake made in case of design or coding of system as vulnerability. | **Vulnerability** – a shortcoming, the error in implementation which does possibly the unforeseen impact on system attracting failures in system operation is more often. Vulnerabilities are classified by a set of signs. One of the most important signs – harm which can be caused by the system, using vulnerability. Most often understand the specific mistake made in case of design or coding of the system as a vulnerability. |
| |
| In case of appearance of new information technologies and furthermore the whole information branches, there is a huge number of potential threats and vulnerabilities which shall be probed properly. Certainly, the Internet of Things did not become an exception. ((H. Reza Ghorbani, M. Hossein Ahmadzadegan, "Security challenges in internet of things: survey", Wireless Sensors (ICWiSe) 2017 IEEE Conference on, pp. 1-6, 2017.)) | In case of the appearance of new information technologies and furthermore the whole information branches, there is a vast number of potential threats and vulnerabilities which shall be probed correctly. Indeed, the Internet of Things did not become an exception ((H. Reza Ghorbani, M. Hossein Ahmadzadegan, "Security challenges in the Internet of Things: a survey", Wireless Sensors (ICWiSe) 2017 IEEE Conference on, pp. 1-6, 2017.)). |
| | |
| The recent report of Gartner predicts that by 2020 20,4 billion connected to IoT will be connected, at the same time will be connected every day 5,5 million new devices. Besides, by 2020 more than a half of large new business processes and systems will include the IoT component. ((TechRadar™: Internet Of Things Security, Q1 2017)) | The recent report of Gartner predicts that by 2020, 20.4 billion devices will be connected to IoT, and at the same time will be joined every day by 5,5 million new devices. Besides, by 2020, more than half of sizeable new business processes and systems will include the IoT component. |
| |
| These digits stun and assume that standard protection the PC and anti-virus solutions will not be able to resist to future threats of cyber security on the attached devices IoT. | These digits are surprising and assume that standard protection the PC and anti-virus solutions will not be able to resist future threats of cybersecurity on the attached devices IoT. |
| | |
| Need of more reliable measures for protection of the built-in devices IoT was confirmed with the recent research Forrester TechRadar in which use options, the business value and perspectives for 13 most important and important technologies of safety of IoT were defined. It included the main technologies, such as authentication of IoT and encoding of IoT, in addition to the appearing technologies of protection of IoT, such as detection of threats of IoT, lock of IoT and analyst of safety of IoT. You can see the most important technologies of safety of IoT in a figure below: | |
| |
| <figure Ref.Pic.1> | For the last few years, many widespread cyber attacks showed risks of the inadequate safety of IoT. Perhaps, the attack of “Stuxnet” aimed at the industrial programmable logic controllers (PLC) at the Iranian uranium enrichment plant became the most known. Experts read that Stuxnet destroyed up to 1000 centrifuges connected through broadband networks to the PLCs devices working under control of the Windows operating system at the PCs standard platforms. |
| {{ :en:iot-open:security_and_privacy_in_iot_ume:criticaliot.gif |}} | |
| <caption> </caption> | |
| </figure> | |
| |
| | In 2016 was many serious attacks directed to IoT devices. Mirai botnet became one of such attacks. This specific a bot network infected numerous IoT devices (first of all old routers and IP cameras) and then used them for superimposing of Dyn DNS provider utilising the DDoS-attack. The botnet of Mirai destroyed Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter and some other the large websites. This piece of the malicious code used the devices using outdated versions of a kernel of Linux and relied on the fact that most users do not change names users/passwords by default on the devices. |
| |
| | Many companies reduce the costs of production, not including sufficient space for storage on the devices to provide updating of a kernel Linux. Because of it, kernels which include vulnerabilities work on many IoT devices. Vendors need to learn this lesson and to allow each device to update regularly kernels. Until this problem is solved, IoT devices will still suffer from the weight of exploits. |
| |
| | In November 2016 ((https://www.welivesecurity.com/2016/12/30/biggest-security-incidents-2016)) cybercriminals closed heating of two buildings in the city of Lappeenranta, Finland. It was the DDoS-attack; in this case, the attack allowed heating controllers to reboot the system permanently, so heating was not made. As the temperature in Finland fell below zero at this time, this attack caused very unpleasant consequences. |
| |
| For the last few years many widespread cyber attacks showed risks of inadequate safety of IoT. Perhaps, the attack of "Stuxnet" aimed at the industrial programmable logic controllers (PLC) at the Iranian uranium enrichment plant became the most known. Experts read that Stuxnet destroyed up to 1000 centrifuges connected through broadband networks to the PLCs devices working under control of the Windows operating system at the PCs standard platforms. | Even if you take reasonable measures of the safety of IoT, your connected gadgets can be compromised by criminals. Last fall the DSN Dyn-Internet service provider got under the attack which broke access to favourite websites. Attackers could take under control a large number of devices connected to the Internet, such as video recorders and cameras. These devices that were used for carrying out the attack ((Z. K. Zhang, M. C. Y. Cho, C. W. Wang, C. W. Hsu, C. K. Chen, S. Shieh, "IoT security: Ongoing challenges and research opportunities", Proc. IEEE 7th Int. Conf. Service-Oriented )). |
| | |
| In 2016 was many serious attacks directed to IoT devices. Mirai botnet became one of such attacks. This specific a bot network infected numerous IoT devices (first of all old routers and IP cameras), and then used them for superimposing of Dyn DNS provider by means of the DDoS-attack. The botnet of Mirai destroyed Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter and some other the large websites. This piece of the malicious code used the devices using outdated versions of a kernel of Linux and relied on the fact that most of users do not change names users / passwords by default on the devices. | |
| | |
| Many companies reduce costs of production, not including sufficient space for storage on the devices to provide updating of a kernel Linux. Because of it kernels which include vulnerabilities work on many IoT devices. Vendors need to learn this lesson and to allow each device to update regularly kernels. Until this problem is solved, IoT devices will still suffer from weight of exploits. | |
| | |
| In November, 2016 ((https://www.welivesecurity.com/2016/12/30/biggest-security-incidents-2016)) cybercriminals closed heating of two buildings in the city of Lappeenranta, Finland. It was the DDoS-attack; in this case the attack allowed heating controllers to reboot permanently system so heating was not made. As temperature in Finland fell below zero at this time, this attack caused very unpleasant consequences. | |
| | |
| Even if you take reasonable measures of safety of IoT, your connected gadgets can be compromised by criminals. Last fall the DSN Dyn-Internet service provider got under the attack which broke access to popular web sites. Attackers could take under control a large number of the devices connected to the Internet, such as video recorders and cameras. These devices then were used for carrying out the attack. ((Z. K. Zhang, M. C. Y. Cho, C. W. Wang, C. W. Hsu, C. K. Chen, S. Shieh, "IoT security: Ongoing challenges and research opportunities", Proc. IEEE 7th Int. Conf. Service-Oriented )) | |
| | |
| To tell the truth, IoT gives the almost infinite opportunities for connection of our devices and the equipment. From the point of view of creativity this field is widely opened, with the infinite set of methods "to connect devices". It can become the large platform for people with the innovative ideas, but also it concerns also malefactors therefore IoT offers both new opportunities of development, and potential security concerns. | |
| |
| | IoT gives the almost infinite opportunities for connection of our devices and the equipment. From the point of view of creativity, this field is widely opened, with the endless set of methods “to connect devices”. It can become an ample platform for people with innovative ideas, but also it concerns also malefactors. Therefore, IoT offers new opportunities for development and potential security concerns. |
