Fluent Essays

#1 For this assignment, review the attached research article Cyber Security and the Internet of Things: Vulnerabilities, Threats, Intruders and Attacks and evaluate it in 2 pages or less (700 words), using your own words, by addressing the following: What did the authors investigate, and in general how did they do so?Identify the hypothesis or question being testedSummarize the overall article.Identify the conclusions of the authorsindicate whether or not you think the data support their conclusions/hypothesisconsider alternative explanations for the resultsThe relevance or importance of the studyThe appropriateness of the experimental design Provide any additional comments pertaining to other approaches to testing their hypothesis -logical follow-up studies to build on, confirm or refute the conclusions The article you use must be at least 3 pages long and be a primary or original research article. When you write your evaluation be brief and concise, this is not meant to be an essay but an objective evaluation that one can read very easily and quickly. Also, you should include a complete reference (title, authors, journal, issue, pages) and a photocopy of the article when you turn in your evaluation. #2 Mobile devices (smartphones) are the number one Internet-connected device. Mobile devices are also a threat to organizations networks as these devices have storage mediums, Near Field Communication (NFC), and other technological advances that make them undeniable dangerous as an access point for malicious individuals. We carry them nearly everywhere we go. Android is an open-source that allows customization to the operating system and is considered static. While iOS is not open source and controlled by Apple, however, users can jailbreak them which lowers the security and expose the device to vulnerabilities. What process do you propose to mitigate the threats towards mobile devices? post should be a minimum of 500 words rp_journal_2245_1439_414_1_.pdf Unformatted Attachment Preview Cyber Security and the Internet of Things: Vulnerabilities, Threats, Intruders and Attacks Mohamed Abomhara and Geir M. Køien Department of Information and Communication Technology, University of Agder, Norway Corresponding Authors: {Mohamed.abomhara; geir.koien}@uia.no Received 14 September 2014; Accepted 17 April 2015; Publication 22 May 2015 Abstract Internet of Things (IoT) devices are rapidly becoming ubiquitous while IoT services are becoming pervasive. Their success has not gone unnoticed and the number of threats and attacks against IoT devices and services are on the increase as well. Cyber-attacks are not new to IoT, but as IoT will be deeply interwoven in our lives and societies, it is becoming necessary to step up and take cyber defense seriously. Hence, there is a real need to secure IoT, which has consequently resulted in a need to comprehensively understand the threats and attacks on IoT infrastructure. This paper is an attempt to classify threat types, besides analyze and characterize intruders and attacks facing IoT devices and services. Keywords: Internet of Things, Cyber-attack, Security threats. 1 Introduction The recent rapid development of the Internet of Things (IoT) [1, 2] and its ability to offer different types of services have made it the fastest growing technology, with huge impact on social life and business environments. IoT has Journal of Cyber Security, Vol. 4, 65–88. doi: 10.13052/jcsm2245-1439.414 c 2015 River Publishers. All rights reserved.  66 M. Abomhara and G. M. Køien gradually permeated all aspects of modern human life, such as education, healthcare, and business, involving the storage of sensitive information about individuals and companies, financial data transactions, product development and marketing. The vast diffusion of connected devices in the IoT has created enormous demand for robust security in response to the growing demand of millions or perhaps billions of connected devices and services worldwide [3–5]. The number of threats is rising daily, and attacks have been on the increase in both number and complexity. Not only is the number of potential attackers along with the size of networks growing, but the tools available to potential attackers are also becoming more sophisticated, efficient and effective [6, 7]. Therefore, for IoT to achieve fullest potential, it needs protection against threats and vulnerabilities [8]. Security has been defined as a process to protect an object against physical damage, unauthorized access, theft, or loss, by maintaining high confidentiality and integrity of information about the object and making information about that object available whenever needed [7, 9]. According to Kizza [7] there is no thing as the secure state of any object, tangible or not, because no such object can ever be in a perfectly secure state and still be useful. An object is secure if the process can maintain its maximum intrinsic value under different conditions. Security requirements in the IoT environment are not different from any other ICT systems. Therefore, ensuring IoT security requires maintaining the highest intrinsic value of both tangible objects (devices) and intangible ones (services, information and data). This paper seeks to contribute to a better understanding of threats and their attributes (motivation and capabilities) originating from various intruders like organizations and intelligence. The process of identifying threats to systems and system vulnerabilities is necessary for specifying a robust, complete set of security requirements and also helps determine if the security solution is secure against malicious attacks [10]. As well as users, governments and IoT developers must ultimately understand the threats and have answers to the following questions: 1. 2. 3. 4. 5. 6. What are the assets? Who are the principal entities? What are the threats? Who are the threat actors? What capability and resource levels do threat actors have? Which threats can affect what assets? Cyber security and the Internet of Things 67 7. Is the current design protected against threats? 8. What security mechanisms could be used against threats? The remainder of this paper is organized as follows. Section 2 provides a background, definitions, and the primary security and privacy goals. Section 3 identifies some attacker motivations and capabilities, and provides an outline of various sorts of threat actors. Finally, the paper concludes with Section 4. 2 Background The IoT [1, 2, 11] is an extension of the Internet into the physical world for interaction with physical entities from the surroundings. Entities, devices and services [12] are key concepts within the IoT domain, as depicted in Figure 1 [13]. They have different meanings and definitions among various projects. Therefore, it is necessary to have a good understanding of what IoT entities, devices and services are (discussed in detail in Section 2.1). An entity in the IoT could be a human, animal, car, logistic chain item, electronic appliance or a closed or open environment [14]. Interaction among Figure 1 IoT model: key concepts and interactions. 68 M. Abomhara and G. M. Køien entities is made possible by hardware components called devices [12] such as mobile phones, sensors, actuators or RFID tags, which allow the entities to connect to the digital world [15]. In the current state of technology, Machine-to-Machine (M2M) is the most popular application form of IoT. M2M is now widely employed in power, transportation, retail, public service management, health, water, oil and other industries to monitor and control the user, machinery and production processes in the global industry and so on [5, 16, 17]. According to estimates M2M applications will reach 12 billion connections by 2020 and generate approximately 714 billion euros in revenues [2]. Besides all the IoT application benefits, several security threats are observed [17–19]. The connected devices or machines are extremely valuable to cyber-attackers for several reasons: 1. Most IoT devices operate unattended by humans, thus it is easy for an attacker to physically gain access to them. 2. Most IoT components communicate over wireless networks where an attacker could obtain confidential information by eavesdropping. 3. Most IoT components cannot support complex security schemes due to low power and computing resource capabilities. In addition, cyber threats could be launched against any IoT assets and facilities, potentially causing damage or disabling system operation, endangering the general populace or causing severe economic damage to owners and users [20, 21]. Examples include attacks on home automation systems and taking control of heating systems, air conditioning, lighting and physical security systems. The information collected from sensors embedded in heating or lighting systems could inform the intruder when somebody is at home or out. Among other things, cyber-attacks could be launched against any public infrastructure like utility systems (power systems or water treatment plants) [22] to stop water or electricity supply to inhabitants. Security and privacy issues are a growing concern for users and suppliers in their shift towards the IoT [23]. It is certainly easy to imagine the amount of damage caused if any connected devices were attacked or corrupted. It is well-recognized that adopting any IoT technology within our homes, work, or business environments opens doors to new security problems. Users and suppliers must consider and be cautious with such security and privacy concerns. Cyber security and the Internet of Things 69 2.1 Understanding IoT Devices and Services In this section, the main IoT domain concepts that are important from a business process perspective are defined and classified, and the relationships between IoT components (IoT devices and IoT services) are described. 2.1.1 IoT device This is a hardware component that allows the entity to be a part of the digital world [12]. It is also referred to as a smart thing, which can be a home appliance, healthcare device, vehicle, building, factory and almost anything networked and fitted with sensors providing information about the physical environment (e.g., temperature, humidity, presence detectors, and pollution), actuators (e.g., light switches, displays, motor-assisted shutters, or any other action that a device can perform) and embedded computers [24, 25]. An IoT device is capable of communicating with other IoT devices and ICT systems. These devices communicate via different means including cellular (3G or LTE), WLAN, wireless or other technologies [8]. IoT device classification depends on size, i.e., small or normal; mobility, i.e., mobile or fixed; external or internal power source; whether they are connected intermittently or always-on; automated or non-automated; logical or physical objects; and lastly, whether they are IP-enabled objects or non IP objects. The characteristics of IoT devices are their ability to actuate and/or sense, the capability of limiting power/energy, connection to the physical world, intermittent connectivity and mobility [23]. Some must be fast and reliable and provide credible security and privacy, while others might not [9]. A number of these devices have physical protection whereas others are unattended. In fact, in IoT environments, devices should be protected against any threats that can affect their functionality. However, most IoT devices are vulnerable to external and internal attacks due to their characteristics [16]. It is challenging to implement and use a strong security mechanism due to resource constraints in terms of IoT computational capabilities, memory, and battery power [26]. 2.1.2 IoT services IoT services facilitate the easy integration of IoT entities into the serviceoriented architecture (SOA) world as well as service science [27]. According to Thoma [28], an IoT service is a transaction between two parties: the service provider and service consumer. It causes a prescribed function, enabling 70 M. Abomhara and G. M. Køien interaction with the physical world by measuring the state of entities or by initiating actions that will initiate a change to the entities. A service provides a well-defined and standardized interface, offering all necessary functionalities for interacting with entities and related processes. The services expose the functionality of a device by accessing its hosted resources [12]. 2.1.3 Security in IoT devices and services Ensuring the security entails protecting both IoT devices and services from unauthorized access from within the devices and externally. Security should protect the services, hardware resources, information and data, both in transition and storage. In this section, we identified three key problems with IoT devices and services: data confidentiality, privacy and trust. Data confidentiality represents a fundamental problem in IoT devices and services [27]. In IoT context not only user may access to data but also authorized object. This requires addressing two important aspects: first, access control and authorization mechanism and second authentication and identity management (IdM) mechanism. The IoT device needs to be able to verify that the entity (person or other device) is authorized to access the service. Authorization helps determine if upon identification, the person or device is permitted to receive a service. Access control entails controlling access to resources by granting or denying means using a wide array of criteria. Authorization and access control are important to establishing a secure connection between a number of devices and services. The main issue to be dealt with in this scenario is making access control rules easier to create, understand and manipulate. Another aspect that should be consider when dealing with confidentiality is authentication and identity management. In fact this issue is critical in IoT, because multiple users, object/things and devices need to authenticate each other through trustable services. The problem is to find solution for handling the identity of user, things/objects and devices in a secure manner. Privacy is an important issue in IoT devices and service on account of the ubiquitous character of the IoT environment. Entities are connected, and data is communicated and exchanged over the internet, rendering user privacy a sensitive subject in many research works. Privacy in data collection, as well as data sharing and management, and data security matters remain open research issues to be fulfilled. Cyber security and the Internet of Things 71 Trust plays an important role in establishing secure communication when a number of things communicate in an uncertain IoT environment. Two dimensions of trust should be considered in IoT: trust in the interactions between entities, and trust in the system from the users perspective [29] According to Køien [9] the trustworthiness of an IoT device depends on the device components including the hardware, such as processor, memory, sensors and actuators, software resources like hardware-based software, operating system, drivers and applications, and the power source. In order to gain user/services trust, there should be an effective mechanism of defining trust in a dynamic and collaborative IoT environment. 2.2 Security Threats, Attacks, and Vulnerabilities Before addressing security threats, the system assets (system components) that make up the IoT must first be identified. It is important to understand the asset inventory, including all IoT components, devices and services. An asset is an economic resource, something valuable and sensitive owned by an entity. The principal assets of any IoT system are the system hardware (include buildings, machinery, etc.) [11], software, services and data offered by the services [30]. 2.2.1 Vulnerability Vulnerabilities are weaknesses in a system or its design that allow an intruder to execute commands, access unauthorized data, and/or conduct denial-ofservice attacks [31, 32]. Vulnerabilities can be found in variety of areas in the IoT systems. In particular, they can be weaknesses in system hardware or software, weaknesses in policies and procedures used in the systems and weaknesses of the system users themselves [7]. IoT systems are based on two main components; system hardware and system software, and both have design flaws quite often. Hardware vulnerabilities are very difficult to identify and also difficult to fix even if the vulnerability were identified due to hardware compatibility and interoperability and also the effort it take to be fixed. Software vulnerabilities can be found in operating systems, application software, and control software like communication protocols and devices drives. There are a number of factors that lead to software design flaws, including human factors and software complexity. Technical vulnerabilities usually happen due to human weaknesses. Results of not understanding the requirements comprise starting 72 M. Abomhara and G. M. Køien the project without a plan, poor communication between developers and users, a lack of resources, skills, and knowledge, and failing to manage and control the system [7]. 2.2.2 Exposure Exposure is a problem or mistake in the system configuration that allows an attacker to conduct information gathering activities. One of the most challenging issues in IoT is resiliency against exposure to physical attacks. In the most of IoT applications, devices may be left unattended and likely to be placed in location easily accessible to attackers. Such exposure raises the possibility that an attacker might capture the device, extract cryptographic secrets, modify their programming, or replace them with malicious device under the control of the attacker [33]. 2.2.3 Threats A threat is an action that takes advantage of security weaknesses in a system and has a negative impact on it [34]. Threats can originate from two primary sources: humans and nature [35, 36]. Natural threats, such as earthquakes, hurricanes, floods, and fire could cause severe damage to computer systems. Few safeguards can be implemented against natural disasters, and nobody can prevent them from happening. Disaster recovery plans like backup and contingency plans are the best approaches to secure systems against natural threats. Human threats are those caused by people, such as malicious threats consisting of internal [37] (someone has authorized access) or external threats [38] (individuals or organizations working outside the network) looking to harm and disrupt a system. Human threats are categorized into the following: • Unstructured threats consisting of mostly inexperienced individuals who use easily available hacking tools. • Structured threats as people know system vulnerabilities and can understand, develop and exploit codes and scripts. An example of a structured threat is Advanced Persistent Threats (APT) [39]. APT is a sophisticated network attack targeted at high-value information in business and government organizations, such as manufacturing, financial industries and national defense, to steal data [40]. As IoT become a reality, a growing number of ubiquitous devices has raise the number of the security threats with implication for the general public. Unfortunately, IoT comes with new set of security threat. There are Cyber security and the Internet of Things 73 a growing awareness that the new generation of smart-phone, computers and other devices could be targeted with malware and vulnerable to attack. 2.2.4 Attacks Attacks are actions taken to harm a system or disrupt normal operations by exploiting vulnerabilities using various techniques and tools. Attackers launch attacks to achieve goals either for personal satisfaction or recompense. The measurement of the effort to be expended by an attacker, expressed in terms of their expertise, resources and motivation is called attack cost [32]. Attack actors are people who are a threat to the digital world [6]. They could be hackers, criminals, or even governments [7]. Additional details are discussed in Section 3. An attack itself may come in many forms, including active network attacks to monitor unencrypted traffic in search of sensitive information; passive attacks such as monitoring unprotected network communications to decrypt weakly encrypted traffic and getting authentication information; close-in attacks; exploitation by insiders, and so on. Common cyber-attack types are: (a) Physical attacks: This sort of attack tampers with hardware components. Due to the unattended and distributed nature of the IoT, most devices typically operate in outdoor environments, which are highly susceptible to physical attacks. (b) Reconnaissance attacks – unauthorized discovery and mapping of systems, services, or vulnerabilities. Examples of reconnaissance attacks are scanning network ports [41], packet sniffers [42], traffic analysis, and sending queries about IP address information. (c) Denial-of-service (DoS): This kind of attack is an attempt to make a machine or network resource unavailable to its intended users. Due to low memory capabilities and limited computation resources, the majority of devices in IoT are vulnerable to resource enervation attacks. (d) Access attacks – unauthorized persons gain access to networks or devices to which they have no right to access. There are two different types of access attack: the first is physical access, whereby the intruder can gain access to a physical device. The second is remote access, which is done to IP-connected devices. (e) Attacks on privacy: Privacy protection in IoT has become increasingly challenging due to large volumes of information easily available 74 M. Abomhara and G. M. Køien through remote access mechanisms. The most common attacks on user privacy are: • Data mining: ... Purchase answer to see full attachment