Sunday, January 24, 2021

Cyber: Cyber Security for Consumer Internet of Things (IoT)

 


Still olden but golden, when it comes to IoT Connected Devices


I have briefly touched upon IoT (Internet of Things) at my blog previously:

Fast moving wireless world

https://trewmte.blogspot.com/2014/10/fast-moving-wireless-world.html

The Internet of Things (IoT)

https://trewmte.blogspot.com/2016/03/the-internet-of-things-iot.html

The Rise of (IoT) Domestic Appliance Forensic Examiners

https://trewmte.blogspot.com/2016/03/the-rise-of-iot-domestic-appliance.html

Smart Phones with Smart Homes

https://trewmte.blogspot.com/2016/06/smart-phones-with-smart-homes.html

eSIM - Observing Possible Outcomes Part 1

https://trewmte.blogspot.com/2019/12/esim-observing-possible-outcomes-part-1.html


I am adding update reference materials available on IoT and Cyber, if you haven't seen this info or weren't aware, which you might find useful.

ETSI in February 2019 released the first globally applicable standard for consumer IoT security:

etsi-releases-first-globally-applicable-standard-for-consumer-iot-security?jjj=1611490283528

This publicised event introduced the ETSI Stand ts_103645v010101 (2019)

CYBER; Cyber Security for Consumer Internet of Things

ts_103645v010101p.pdf

In 2020 ETSI updated the standard ts_103645v020102 with enhanced baseline requirements:

CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements

ts_103645v020102p.pdf

The object of these standards is to improve security and privacy. A common default password for all products are to be scrubbed with a unique default password per device applied instead. Moreover, it should not be possible to enable the password set at default in the first place once user changed. Apparently, many IoT (consumer) products on the market may still not (even today) meet this password objectives or other more basic requirements that have been stated in this newly released standard. 

Measures vendor companies should understake range from adopting simple installation and user guidance with good documentation in support; good hardware/software security engineering practice; for personal privacy the standard sets out protection objectives for all sensitive personal data required to be stored securely - that is both on devices, themselves, and in any related services e.g. in the cloud. Any personal data should be encrypted and should be protected against attack; and with clear instructions how consumers can easily delete their personal data.

Whilst this standard provides consumers with confidence in their IoT product, it equally has been designed to allow vendors companies sufficient flexibility to enable them to innovate and find the best solution for security and privacy for their particular IoT products. Password protection, encryption, and safe deletion are some solutions. Others could be block-off network ports; close-off software not being used; avoidance of exploited data (OOR) by adoption of a validation approach; secure-boot mechanisms (hardward-based); with ease and secure device software updates (e.g. use- menu selection or autonomic/automated (e.g. ZTP etc)). These are possible solutions.

I did like that ETSI had included specific demands about disclosure in this standard for vendor companies to identify, act upon and promptly report vulnerabilities.

However, from a cyber aspect, the ETSI Technical Committee on Cybersecurity (TC CYBER) has overseen and published over 50 cyber standards, some of which are referenced below:

ETSI TS 103 744 V1.1.1 (2020-12)Published

CYBER; Quantum-safe Hybrid Key Exchanges


ETSI TS 103 523-1 V1.1.1 (2020-12)Published

CYBER; Middlebox Security Protocol; Part 1: MSP Framework and Template Requirements


ETSI TS 103 718 V1.1.1 (2020-10)Published

CYBER; External encodings for the Advanced Encryption Standard


ETSI TR 103 644 V1.2.1 (2020-09)Published

CYBER; Observations from the SUCCESS project regarding smart meter security


ETSI TS 103 485 V1.1.1 (2020-08)Published

CYBER; Mechanisms for privacy assurance and verification


ETSI TR 103 619 V1.1.1 (2020-07)Published

CYBER; Migration strategies and recommendations to Quantum Safe schemes


ETSI EN 303 645 V2.1.1 (2020-06)Published

CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements


ETSI TS 103 645 V2.1.2 (2020-06)Published

CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements


ETSI TR 103 306 V1.4.1 (2020-03)Published

CYBER; Global Cyber Security Ecosystem


ETSI TR 103 644 V1.1.1 (2019-12)Published

CYBER; Increasing smart meter security


ETSI TR 103 618 V1.1.1 (2019-12)Published

CYBER; Quantum-Safe Identity-Based Encryption


ETSI TR 103 331 V1.2.1 (2019-09)Published

CYBER; Structured threat information sharing


ETSI TS 103 523-3 V1.3.1 (2019-08)Published

CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport Security


ETSI TS 103 523-3 V1.2.1 (2019-03)Published

CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport Security


ETSI TS 103 645 V1.1.1 (2019-02)Published

CYBER; Cyber Security for Consumer Internet of Things


ETSI TR 103 370 V1.1.1 (2019-01)Published

CYBER; Practical introductory guide to Technical Standards for Privacy


ETSI TS 103 457 V1.1.1 (2018-10)Published

CYBER; Trusted Cross-Domain Interface: Interface to offload sensitive functions to a trusted domain


ETSI TR 103 642 V1.1.1 (2018-10)Published

CYBER; Security techniques for protecting software in a white box model


ETSI TS 103 523-3 V1.1.1 (2018-10)Published

CYBER; Middlebox Security Protocol; Part 3: Profile for enterprise network and data centre access control


ETSI TR 103 617 V1.1.1 (2018-09)Published

CYBER; Quantum-Safe Virtual Private Networks


ETSI TR 103 305-1 V3.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls


ETSI TR 103 305-2 V2.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing


ETSI TR 103 305-3 V2.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations


ETSI TR 103 305-5 V1.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 5: Privacy enhancement


ETSI TR 103 305-4 V2.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms


ETSI TR 103 306 V1.3.1 (2018-08)Published

CYBER; Global Cyber Security Ecosystem


ETSI TS 103 458 V1.1.1 (2018-06)Published

CYBER; Application of Attribute Based Encryption (ABE) for PII and personal data protection on IoT devices, WLAN, cloud and mobile services - High level requirements


ETSI TS 103 307 V1.3.1 (2018-04)Published

CYBER; Security Aspects for LI and RD Interfaces


ETSI TS 103 532 V1.1.1 (2018-03)Published

CYBER; Attribute Based Encryption for Attribute Based Access Control


ETSI TR 103 456 V1.1.1 (2017-10)Published

CYBER; Implementation of the Network and Information Security (NIS) Directive


ETSI TS 102 165-1 V5.2.3 (2017-10)Published

CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA)


ETSI TR 103 570 V1.1.1 (2017-10)Published

CYBER; Quantum-Safe Key Exchanges


ETSI TR 103 421 V1.1.1 (2017-04)Published

CYBER; Network Gateway Cyber Defence


ETSI TR 103 306 V1.2.1 (2017-03)Published

CYBER; Global Cyber Security Ecosystem


ETSI TS 103 307 V1.2.1 (2016-10)Published

CYBER; Security Aspects for LI and RD Interfaces


ETSI TR 103 305-2 V1.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing


ETSI TR 103 305-3 V1.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations


ETSI TR 103 305-4 V1.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms


ETSI TR 103 305-1 V2.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls


ETSI TR 103 331 V1.1.1 (2016-08)Published

CYBER; Structured threat information sharing


ETSI TR 103 304 V1.1.1 (2016-07)Published

CYBER; Personally Identifiable Information (PII) Protection in mobile and cloud services


ETSI TR 103 369 V1.1.1 (2016-07)Published

CYBER; Design requirements ecosystem


ETSI EG 203 310 V1.1.1 (2016-06)Published

CYBER; Quantum Computing Impact on security of ICT Systems; Recommendations on Business Continuity and Algorithm Selection


ETSI TS 103 307 V1.1.1 (2016-04)Published

CYBER; Security Aspects for LI and RD Interfaces


ETSI TR 103 303 V1.1.1 (2016-04)Published

CYBER; Protection measures for ICT in the context of Critical Infrastructure


ETSI TS 103 487 V1.1.1 (2016-04)Published

CYBER; Baseline security requirements regarding sensitive functions for NFV and related platforms


ETSI TR 103 308 V1.1.1 (2016-01)Published

CYBER; Security baseline regarding LI and RD for NFV and related platforms


ETSI TR 103 306 V1.1.1 (2015-11)Published

CYBER; Global Cyber Security Ecosystem


ETSI TR 103 309 V1.1.1 (2015-08)Published

CYBER; Secure by Default - platform security technology


ETSI TR 103 305 V1.1.1 (2015-05)Published

CYBER; Critical Security Controls for Effective Cyber Defence

Posted by at No comments:
Labels: , , , , , , , , , , , , ,

Friday, January 01, 2021

CSA Location Determination Investigations - The continuing mission

Recalling that I have posted here at trewmte.blogspot and cellsiteanalysis.blospot over the years was to assist interpretation of data and testing for cell site anslysis and elements that can be used when conducting investigations, I have posted below a few of the weblinks to help this discussion along.

https://trewmte.blogspot.com/2014/07/csa-site-survey-method3mobility-models.html

http://trewmte.blogspot.com/2009/08/cell-site-analysis-csa-images-part-2.html

http://trewmte.blogspot.com/2008/11/mobile-phones-and-fringe-coverage.html

http://cellsiteanalysis.blogspot.com/

https://www.dropbox.com/s/g912o5dji9wkxfk/3G%20Networks%20position%20techniques.pdf

It is noteworthy the ITU in 2017 published a series of documents regarding call details record (CDR) and specified network data that could be captured in CDRs to assist a wide range of tasks to comprehend mobile phone movement caused by migration to determining trip travel and destination. These studies were conduct in Liberia, Sierra Leone and Republic of Guinea:

Liberia CDR reallocation D012A0000C93301PDFE.pdf

CDR Sierra Leone D012A0000CA3301PDFE.pdf

CDR Republic of Guinea D012A0000D03301PDFE.pdf

The reports identify how to obtain, collate, display overlay geodata/mapping and interpolation of the format specification that I rather think is highly useful to CSA investigations. The ITU source highlights CDRs capturing association with PoI, Trip Segmentation, Trajectory and Stay Points etc. I am simplifying in my summary what is undoubtedly more detailed discussion in these reports to show that 'time' and ‘location’ will be highly relevant. 

CSA has not been without the knowledge regarding peak-time call traffic, density of call traffic, tracking etc and these are used in call analysis and CSA. In these reports though the defining stay points captured in the call records add useful evidence such as travel, location, co-location (if relevant), association (if relevant), landmarks, so on and so forth.

Consideration of trip segmentation in the report states ""Trip segmentation: Extract stay points from anonymized CDR data, and divide move/stay segments. Figure 7.4 explains how stay points are extracted by applying parameters and thresholds to CDR data." In this regard the threshold parameters for stay points are specified as 'Minimum Time Duration 15 Minutes' and 'Maximum Distance 300 Meter'. To assist further here is a useful image with data from the ITU Liberia report:

To extrapolate such detail require Trip segmentation, Stay point reallocation, Route interpolation, Grid-based aggregation and Visualization and so on. To dig into the detail to assist interpretation:

"Stay point reallocation: Reallocate stay points (Trip OD) to surrounding points of interest (POIs) with a certain probability and fil gap between stay/move segments. POIs are regarded as surrounding a certain cell tower if they are closer to the cell tower location than to the others (Voronoi tessellation). The reallocation is necessary because CDR location data is based on cell tower location, which means that all users in the same area have the same location. Reallocation can make the distributing of people more realistic or likely because POIs can be considered places where people are likely to stay or visit, such as shopping areas, residential houses, villages, and to which people are reassigned rather than concentrating on cell tower locations. A new dataset of POIs was constructed for this process by collecting data from the distribution of buildings from open access Internet data (see Appendix 2). Figure 7.5 shows how POIs are distributed in a city. Areas in blue indicate building POIs with extracted stay points, where location information originally based on antenna location, are reallocated."

Lastly, the reports published in 2017 discussed relevance to 2G, 3G and 4G.


Posted by at No comments:
Labels: , , , , , ,

DoDM 8570 Baseline Certification

Crikey! Whilst DoDM 8570 requires at least one base line certificate this roadmap suggests if you want to take all these certificates it would run to n-years of your life just taking certs. 

Realistically, useful to see what certs can be taken to meet the requirements. Image from https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/



Posted by at No comments:
Labels: , , , , ,

Security! It's a state of mind...


 

Posted by at No comments:
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)