Monday, June 5, 2017

EDU Are Small Cities



In a general sense, universities are small cities with the services that are provided by such localities. For example, Virginia Tech provides similar services to its community that the town of Blacksburg provides to its citizens. A cybersecurity architecture has to encompass all of these service areas. 


Some of these services include:
  • Power generation – VT has its own power generation plant that provides electrical power, A/C and heating to facilities on campus. The power generation plant also provide power to some segments of the town itself.

  •  Law enforcement – As many EDUs do, VT has its own campus police department with full LE authority and powers as any other state law enforcement officers (LEO).

  • Dining Services – what used to be the traditional dining hall facilities has evolved to a wide variety of food choices.
  • A Cultural scene – VT provides a wide variety of music, theatre, lecture, film events that open to the community as well as the general public
  •  Library – this seems odd but since VT is a public institution, its library is open to anyone regardless of their affiliation with the University.
  • ·Medical services – student health services, counseling services, wellness services, adult day care services are some of the traditional medical services provided
  •  Athletic – from intramural, extramural sports to NCAA sanctioned sports, VT offers a wide variety of athletic events that are open to the public.
  • Educational – VT is its own “school system”.
Urban universities offer the same services listed above with the exception of the power plant but they do have a facilities management program. 

 Corporations that offer a wide variety of services to their employees face the same security issues.  As you can imagine, it's a challenge to balance the security requirements of each of these service areas.
Posted by at No comments:

Monday, October 3, 2016

World Full of Smart Gadgets



Internet Security: A World Full of Smart Gadgets
You’ve heard everyone talk about the “Internet of Things”, “smart cars”, “smart devices or gadgets”. This is just a description of the pervasiveness of computers in our everyday lives. These devices are now being connected to the Internet and this poses challenges to personal privacy and the security of the Internet.

Figure 1. Smart gadgets in a home (image by Steve Johnson, Jeff Durham BayArea News Group)
Figure 1 shows how pervasive these gadgets can become in our lives. Every room in a house will be impacted by this Internet of Things. 

What does this have to do with Virginia Tech? Well, today’s students show up on campus with at least 4-5 devices that need to be connected to the network. These include the University required computer, their smart phone, tablet, gaming consoles like Xbox, and usually a smart device like a smart TV or radio. Each of these devices is a specialized computer and unfortunately they’re not secured by the manufacturer. For example, printers, copiers and scanners have no passwords associated with them by default. Figure 1 shows how common household devices will be able to gather personal information (schedules, preferences, health) of the occupants. These devices can transmit that information to advertisers, manufacturers. 

Recently these types of devices have been taken over by hackers and used to attack other sites. Brian Krebs, a well known journalist, was the target of an internet DDOS attack that forced his www site offline for a number of days. This was in response to a series of articles he wrote about cyber criminals being captured. They retaliated by launching a massive denial of service attack against his www site. It's believed that many of the attacking hosts were “smart” gadgets. The new IoT botnet Mirai was used to launch a historically huge attack against Brian Kreb's site (https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/) and is guaranteed to cause mayhem on the net.

Security experts have been warning the community about the lack of security in Internet of Things (IoT)/smart gadgets. Unfortunately, someone else heeded the warnings and took advantage of this knowledge.

Stay tuned for more.






Posted by at No comments:

Friday, September 30, 2016

The Internet of Cows



Glenn Fink, a security researcher at Pacific Northwest Labs, did a presentation called the “Internet of Cows” where he showed how dairy farming has become an automated, internet accessible business process. He took  the discussion one step further by saying that cows make great human surrogates in the privacy debates surrounding IoT. He showed how data from almost every single biological process of a cow (health, reproduction, location, sounds) is monitored by IoT.  Analysis of herd data allows farmers to predict the health of a cow, the optimum time for reproduction and milk production. He maintained that cows don’t object to this type of management and therefore, this is why they are well suited to study the effects of intrusive monitoring. 

It was one of those presentations that makes you go "hmmmmm". The use of "biological" Internet of Things has been well established in the animal husbandry world. As Glenn stated, we're already moving in this direction with regard to human health monitoring. The privacy implications of such monitoring should concern most  of us these days. I've always said that I don't mind external sites collecting data about me as long as a) the default is opt-out where no data is sent out b) you tell me what you're going to do with my data c) you protect my data from unauthorized access.  Obviously, this isn't the norm these days. 

Hopefully, as more "fitness" IoT devices enter the market, people will start to demand their health info be safeguarded as much as possible.  More on this later....
Posted by at No comments:

Monday, April 4, 2016

I'm Back

Yes, it's been a while since I've posted something here. It's been a busy, crazy year. Here are some of the things we've been doing here at VA Tech. I'll be posting some blog entries with more details on each of the items. Consider this entry to be a "headlines" blog.

1. Stacy Kaye from Silverbull.co interviewed me about being a CISO. Her article can be found here
http://www.silverbull.co/a-day-in-the-life-of-a-ciso-virginia-tech/
I will warn you that the picture in the article is my official VT photo and doesn't reflect my usual attire :-)

2. MT6D - Moving Target IPv6 Defense. A series of research projects based on Matt Dunlop and Stephen Groat's research involving dynamic address switching as a defense against DDOS attacks in IPv6. Their original research has spun off a number of secondary MT6D research. Pretty neat and exciting stuff they did. Think radio frequency hopping but instead of hopping frequencies, we hop IPv6 addresses

3. Continuous Monitoring Update - an update on our evergoing continuous monitoring project

So keep in touch for more blogs coming up here and at http://www.securitycurrent.com/en/writers/randy-marchany
Posted by at No comments:
Subscribe to: Posts (Atom)