BitLocker BitLocker is a data protection feature by Microsoft that integrates with the operating system and protects against “data theft or exposure from lost, stolen, or inappropriately decommissioned computers.” BitLocker helps mitigate unauthorized data access and also helps render data inaccessible when computers are decommissioned (Simpson et al., 2018). “BitLocker is the Windows encryption technology that protects your data from unauthorized access by encrypting your drive and requiring one or more factors of authentication before it will unlock it, whether for regular Windows use or an unauthorized access attempt” (Finding your BitLocker recovery key in Windows 10).
Introduction
Encryption is used to hide plaintext messages into encrypted messages that cannot be understood except by the sender and receiver. It is important for securing both wired and wireless networks, and using the best tools will help implement best practices with high efficiency. Some tools used for encryption include MD5 Calculator, HashMyFiles, BitLocker, VeraCrypt, and AES Crypt. This paper will discus the following for each of these tools: Pros and cons Specific use cases Their part in guarding against crypto attacks Additional protection methods/policies
When used correctly, IoT can provide great efficiency in pursuing the goals of the business, organization, or individual. It is quickly growing and more and more uses are emerging. However, the great technology requires great security because of the complicated networks. IoT devices shouldn’t replace human workers, but should be a useful tool to increase productivity and reduce daily hinderances. According to Oracle, “The Internet of Things (IoT) describes the network of physical objects—“things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. These devices range from ordinary household objects to sophisticated industrial tools … IoT has become one of the most important technologies of the 21st century” (What is the Internet of Things (IoT)?). Some examples of commonly used IoT objects include kitchen appliances, cars, and thermostats. Some more advanced IoT applications include manufacturing, tracking physical assets, health monitoring devices, and remote machine monitoring. Therefore, it is great for companies to integrate IoT technology into their daily workforce. However, without proper security, it may be a higher cost than what it’s worth. The security concerns of IoT devices are typically higher than other devices. The advanced communications between devices, data storage, and entry points into the systems can all provide increased opportunity for attackers. However, if cybersecurity professionals are careful to study bast breaches, it is possible that these attacks will provide more gain than loss, because they have revealed security weaknesses that could potentially be much worse if not addressed sooner. The lessons learned should not be ignored or forgotten, and those interested in securing systems should be keeping up to date with the latest understandings of security breaches. Four fairly recent IoT breaches are Stuxnet, Mirai, Casino Data Leak, and Trifo (5 Leading IoT Security Breaches and What We Can Learn From Them 2019). These are all serious breaches that have happened within the last few years. Although they have caused damage, there is also a lot to be learned from them, and hopefully there will be enough information to prevent these from happening in the future. Stuxnet is an advanced computer worm that targets machinery used in the nuclear industry. It “begins to look for centrifuges (machines used to isolate isotopes of uranium) and reprogram them to perform varying cycles that result in the centrifuges disintegrating.” It is also unique because it “was one of the first instances of a computer worm destroying real-world devices, as opposed to just hacking them to perform software damage” (5 Leading IoT Security Breaches and What We Can Learn From Them 2019). This is alarming because it may be the beginning of a new phase of attacks that damage not just software, but also real-world devices. The developers of Stuxnet have not been confirmed, but it was probably developed by the United States and Israel to damage the Iranian nuclear program, and it could have been avoided if the nuclear plants had been “running some basic level protective software.” This is an advanced worm because it is capable of not only breaching the Iranian’s network, but also reprogram machines to change the way they handle isotopes of uranium. There are several lessons to be learned here. The first is a reminder of the engagement in large governments in attacking and defending against cybersecurity attacks. Any company that works closely with a government needs to maintain proper security to handle government attacks. Second, it is important to never forget even the simplest security measures, because they can sometimes block even sophisticated attacks. Since this worm was a method of protecting other nations including Israel and the United States from nuclear attacks, it was an actual good breach for some nations excluding Iran. “Mirai took advantage of insecure IoT devices in a simple but clever way. It scanned big blocks of the internet for open Telnet ports, then attempted to log in default passwords. In this way, it was able to amass a botnet army” (Fruhlinger, 2018). This botnet was so large that it left a lot of the internet inaccessible on the U.S. east cost. its original intent was to make money off of Minecraft, but it grew more powerful than the creators originally intended. “Mirai is IoT specialized malware that uses common usernames and passwords to gain access to IoT devices” (5 Leading IoT Security Breaches and What We Can Learn From Them 2019). This is a brute-force approach that relies not on high levels of accuracy of a single attack, but instead on large numbers of targets and repetition. Many devices have default usernames and passwords, such as “Admin” and “Password.” An important lesson here is to never underestimate the power of a malicious in the IoT, even if it has been developed by only a few people. Fortunately, the attackers where caught and the damages they caused have been reversed. After the damages were done, the authors of the botnet where not required to serve jail time, but pay a fine of $127,000, serve five years probation, and 2,500 hours community service (Mirai Botnet Authors Avoid Jail Time 2019). Mirai is also a warning lesson to attackers that launching large attacks will result in high legal consequences. Although there are attackers that get away with their crime, publicity of the criminal consequences of breaches may make them think twice. The Casino Data Leak is an example of the importance of the diligence required to secure the smaller devices that may appear insignificant at first glance. A casino, greatly concerned about the well-being of their fish, had “Not just an ordinary fish tank, mind you, but a fairly high-tech one that featured Internet connectivity. That connection allowed the tank to be remotely monitored, automatically adjust temperature and salinity, and automate feedings” (Mathews, 2017). If a device has the capability to connect to the system’s network or database, it requires some measure of security, no matter how small the device may appear to be. “What makes this attack daunting is that even the simplest device with internet access can bring down the strictest networks. All it takes is for an engineer to decide (or forget) not to implement security on something as simple as a temperature sensor” (Mathews, 2017). This is a valuable lesson that must be remembered in implementing security controls in IoT devices. The breach stole 10 gigabytes of data from the casino. The casino called Darktrace to help fix the problem, and they spotted it almost immediately. “This was a clear case of data exfiltration,” notes the Darktrace report, adding “but far more subtle than typical attempts at data theft” (Mathews, 2017). Trifo vacuums may be great at cleaning carpets, but their security controls needed some major cleaning. “The Trifo Ironpie has a built-in camera. Security researchers revealed Wednesday that vulnerabilities in the device could let hackers access the video stream remotely, among other things” (Hautala, 2020). The cybersecurity firm Checkmarx claims that the vacuums has multiple security vulnerabilities, including insecure android app update, remote access, insecure encryption, remote video access, and DOS attack. In fact, bad coding practices were identified Three of these vulnerabilities has a CVSS score above 8, which is a high rating, and close to a critical rating. (Umbelino, 2020). These are some serious concerns, and it is a good lesson to be learned. Vulnerability scanning is an important step in pen testing, and the pen testers must be skilled enough to catch any major vulnerabilities. Bad coding practices must be avoided from day one in the development process, not fixed after the software has already been released. The Checkmarx report greatly assisted in fixing the security flaws for Trifo Medical devices connected to IoT has great requirement for security because the wearer’s health is dependent upon the device functioning properly without being attacked. “For example, a person might have an implanted heart device such as a pacemaker or a defibrillator. This device, which is permanently embedded within the patient’s body, communicates with an external monitor in the person’s home that relays data to the doctor or clinic” (Raidman, 2020). The company Nuralink, set up by Elon Musk, is currently developing ways to connect the human brain to a computer interface to medicate patients with severe neurological conditions. “But ultimately Mr Musk envisions a future of superhuman cognition” (Wakefield, 2019). Before these advancements take place, lessons must be learned from previous security experiences. Hacking into a person’s brain is far worse than hacking into a person’s computer, and some hackers may be passionate about succeeding. Hackers may also try to hack into the devices they wear in their own brain to increase connectivity to other devices in malicious methods. However, here are some general ways to defend against IoT Hacking: “Disable the “guest” and “demo” user accounts if enabled Use the “Lock Out” feature to lock out accounts for excessive invalid login attempts Implement strong authentication mechanism Locate control system networks and devices behind firewalls, and isolate them from the business network Implement IPS and IDS in the network Implement end-to-end encryption and use Public Key Infrastructure (PKI) Use VPN architecture for secure communication Deploy security as a unified, integrated system Allow only trusted IP addresses to access the device from the Internet Disable telnet (port 23) Disable UPnP port on routers Prevent the devices against physical tampering Patch vulnerabilities and update the device firmware regularly” (EC-Council 2018) In conclusion, using IoT technology in a company can be very rewarding if done correctly with proper security controls in place, but also very damaging if security controls are not correctly implemented. Countermeasures for IoT devices varies from one device to another because IoT devices can be unique.
Security is majorly important in all web applications. It must be built into the application from the ground up, and not treated as a separate component of development. There are countless numbers of breaches taking place yearly, and there is a greater need applications to be secure enough from attacks. There are many important places in web applications that need security controls. It only takes one security flaw for a hacker to succeed. It is not uncommon for only a couple hackers to breach into a large company that has many more security professionals developing security controls.