Tuesday, 23 June 2020

i4C Blogathon - First Prize Winning Entry by Mr. Sunil Kumar Singh| Theme - Cyber Security and Data Protection

Innovative Cyber Security and Data Protection Practices for the Digitally Driven World
First Prize Winning Entry by Mr. Sunil Kumar Singh| Theme -  Cyber Security and Data Protection

By Mr. Sunil Kumar Singh2nd Year, Electronics/Electrical
Indian Institute of Technology Mandi (IIT Mandi)
Rapid growth and innovation in technology have enabled humans to solve many challenging problems. With faster, cheaper, and effective technological solutions, we have entered the Information Age where data serves as fuel. Unlike other sources of fuel, data is not limited. It is created every second by everyone at an unimaginable rate. A recent study shows we generate 2.5 quintillion bytes of data every day.[1] This number is only going to increase with increasing dependency of organizations and governments upon IoT devices, digital tools, and services to drive the economy and fulfill the needs of society. 
Why Cyber security?
With more data, comes more risk. If the private and confidential data of the public goes in the wrong hands, it can lead to severe damage to corporations and individuals, and hence, needs to be protected. 
Statistics show that there is a web attack every 39 seconds across the globe[2] and 30,000 new websites get hacked every day on average.[3] Globalization has surely facilitated trade and sharing of ideas, but it has also made the whole world one entity, making them dependent on each other and hence, vulnerable. 
In the middle of a global pandemic COVID-19, our dependence on cyberspace has grown more than ever. From basic transactions to government bodies' meetings, everything is being done online. As online activities increase, so does the risk of cyber-attacks. We have started to realize that the protection of our data is as important as the proper utilization of it. 
Murphy’s law holds true in cyberspace which states, “If anything can go wrong, it will go wrong.” meaning, even a single mistake can lead to disruption of organizations and even governments. 
What are we doing Right?
Many organizations already have good security policies in place with a dedicated department for security to safeguard users' data. The security teams identify and mitigate threats that can potentially harm a company. Apart from that, companies are also following different tactics to ensure data security, such as penetration testing, vulnerability management, endpoint security, etc.  
Developers have started adopting necessary security measures like 2-Factor Authentication, web-application firewalls on both client as well as server sides, etc 
In recent years many companies have come up with ‘Responsible Disclosures Programs’ persuading good minds to hack for good. Platforms like HackerOne and BugCrowd, facilitate such programs and award white hat hackers with monetary rewards, popularly known by the buzz word 'bug bounty' for finding vulnerabilities in their companies and reporting them ethically. 
 Is it in(Sufficient)?
Still, a huge number of companies don't have adequate security measures due to various reasons, which puts users' data at risk. A recent study by Acunetix shows that 46% of web applications suffer from critical vulnerabilities and 87% suffer from medium-level vulnerabilities.[4] 
Less secure systems lead to massive data breaches, which have become a very common incident in recent times.[5] This leads to leakage and misuse of users’ private and confidential data ranging from their contact details to credit card information. 
Popular bug-bounty platforms fail to ensure 100% security as most companies allow only a limited portion of their assets to be tested by ethical security researchers, giving cyber criminals ample space to hack on. Some companies are also reported to give very little monetary rewards as compared to the potential loss in certain cases,[6] which pushes white hat hackers to the black side. 
Future Challenges
| 100% security is a myth 
Companies always go through changes. Applications always roll out updates. Technologies change all the time. Today's security can be tomorrow's vulnerability. 
If all goes right, we have humans as masters, who are one of the most vulnerable pieces in a system. No matter how secure the application is, it can be hacked in minutes if the administrator's password is 'password'. 
New technologies can not only introduce new vulnerabilities but can also turn old weaknesses into potential vulnerabilities. PTSecurity reported, web-applications with 'extremely poor' security have doubled compared to the previous year[4].

Over time, vulnerabilities might have remained the same, but the potential loss has increased many folds. The number of cases of ransomware attacks, data breaches, etc. has increased globally, which demands new innovative solutions instead of the traditional approach. 
Research in quantum computing may facilitate cyber-attacks with exponentially faster computing power enabling hackers to destroy major encryptions and making security even more difficult. 
Hence, to solve such problems which have never existed, we need solutions which never existed. 
Innovative Solutions
Horizontal vs. Vertical Growth
| It's not about Horizontal or Vertical, but Horizontal and Vertical. 
Horizontal growth, i.e. expansion of existing security policies to every sector and organization is as important as Vertical growth, which means developing new policies and measures to protect user data in a more efficient way. Only with balanced growth in both the fields, can we hope for a more secure world. 
People Are Vulnerabilities
Every employee is a potential entry point to the internal network for an attacker. A simple social engineering trick can compromise an employee's identity leading to a severe attack. Employees must be tested and trained regularly for such attacks.

| Equality is not always good 
Not every employee should be authorized to alter database entries. There must be a hierarchy in place giving different privileges to different people. 
Monitored Updates
A large number of companies have been compromised because of outdated software and services in place. An automated system should monitor all the assets owned by the company and update them as soon as a new patch is issued. 5G technology can aid to achieve the same globally, keeping all the systems updated across the globe all the time. This will remove many CVEs which are prime sources of cyber-attacks. 
White Hat vs. Black Hat
Employees switch jobs for better recognition of their skills. If white-hats were paid more than black-hats, we'd have had fewer cyber criminals, if not zero. 
The term “Ethical” in "Ethical hacker" forces us to think a hacker by default is unethical, which is not the case. The incentives and rewards which hackers see appear huge to them as compared to the risk involved, which persuades good minds to do evil. 
Black-hat hackers enjoy full freedom while white-hat hackers are restricted to certain areas for testing. An army can't save a country if soldiers are confined to bunkers and criminals are free to attack from wherever they want. Providing ethical researchers more freedom and access to resources will not only make security easier but also transform black-hats into white-hats. 
Stricter Laws and Rules
Governments must make and implement stricter rules for cyber security, and keep organizations in check.
Companies with more than a certain user base must meet predefined security criteria. ● Startups must have a security team from the very start. Cyber-police should keep people in check and make them follow government rules. Cyber rules should be an integral part of the school's curriculum same as the "Fundamental Rules". 
Ahead of 'Them'
Since 100% security is impossible, we need to be ahead of the criminals in order to stay safe. 

More research in cyber security should be promoted and facilitated by increasing funding. Cyber security should be considered as important as a country's army because weapons can’t help if they are open to cyber attacks. 
There have been cases where claims have been made to have successfully compromised fingerprint scanners as well.[7] This shows we need better scanning technology, encryptions, and cryptography in the future. 
Blockchain Technology
Arguably claimed by some experts, Blockchain can be the future of the internet. Well, it may not be the case, but it can surely help make cloud services more secure. 
In blockchain technology, a digital ledger is maintained where the information is added permanently after verification. With more transparency and visibility to individuals, it makes tampering of data difficult. Further research in blockchain technology is needed for cloud protection as almost 95% of companies rely on cloud services.[8] 
Final words
To keep the cyber-threats in check, cyber security researchers need to keep on finding innovative technological solutions. By implementation of better security policies and measures, a safer world will not just remain a dream. 
[1] How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read by Bernard Marr, Forbes, Published on May 21, 2018
[2] Hackers Attack Every 39 Seconds | Security Magazine, studied at University of Maryland, Published in Security Magazine on February 10, 2017
[3] 30,000 Web Sites Hacked A Day | Forbes by James Lyne, Forbes, Published on Sep 6, 2013
[4] Acunetix’s report “Web Application Vulnerability 2019”, Acunetix, Published on March 5, 2019 [5] The 15 biggest data breaches of the 21st century, by Dan Swinhoe, CSO, April 17, 2020
[6] #nofreebugs twitter hashtags by security researchers against their exploitation [started in 2011]
[7] Hackers Claim ‘Any’ Smartphone Fingerprint Lock Can Be Broken In 20 Minutes, by Davey Winder, Editors' Pick, Forbes, Nov 2, 2019
[8] Changing Attitudes Towards Business Intelligence in the Cloud, DataSync, Published on August 16, 2017
[*] Copyright-Free Images, RawPixel and PixaBay

No comments:

Post a Comment