CYBERSECURITY—PRIVACY BY DESIGN—MEETINGS HELD MARCH 5, 2015 in IEEE FOOTHILL
|March 11, 2015||Posted by COMauthor under CN, COMSOC, CS, EDCAS, MTT/APS, PES||
The IEEE Foothill Section welcomed Mike Davis and Bill Bonney from the IEEE San Diego Section for presentations on CyberSecurity—Privacy by Design on Thursday March 5,2015. Two sessions were held that day: the first in late afternoon at California Baptist University Riverside, the second at Harvey Mudd College in the evening. Many IEEE members and IEEE Student members attended and came away with multiple insights into this field. The following are some notes from the afternoon session at California Baptist University Riverside, with editorial commentary added.
Why is Cybersecurity akin to an octopus with tentacles across so many fields and topics? Bill Bonney gave some insight into that fact when he discussed the Internet of Things (IOT). Within the IOT, there are three types of devices, each with a time period when they are expected to be functioning. Some wearables and personal items may have a one to three year expected lifespan. Some durables, such as washing machines, can be expected to last for 5 to 15 years. A further class of devices, such as smart grid meters, would be designed for a 30 to 50 year useful life. Each of these three classes would be designed with respect to different current or anticipated threats. They would be expected to counter this set of threats, and have reduced vulnerability to any of these threats. Not an easy or straightforward problem easily converted to a set of requirements, to be sure.
As Mike Davis followed up from this point, he pointedly noted that there are no single set of Cybersecurity requirements and flow-down specifications. However, there are many features that should be incorporated in a “Privacy by Design” plan. These would include these proactive activities within every business, not matter what size it is. To paraphrase our speaker’s commentary: (1) For all software in your business, maintain the current tested application upgrade (.exe file) and well as all software patches. (2) Control the access to the network environment with layers of privileged access. Only a minimal set of users should have administrator’s’ capability for access. Minimal in this context is a number greater than ONE. (3) All programs and URLs that a user has access to should have verifiable software certificates. The IT crew should create a “white list” for these approved URLs. (4) Maintain an inventory and log of all current software and hardware in use. (5) Put in place active management (Supply chain management / risk management as well as Security information and event management). Real time event logs will give the system IT administrators access to how the system is performing. Every hiccup needs to be explained.
Prior to these presentations, our speaker Mike Davis had solicited questions from our members and students on what they wanted to hear about Cybersecurity. Just listing, in paraphrased fashion, these questions will give our other IEEE Foothill members a flavor of this meeting. Yes, throughout this briefing, Mike Davis presented comments and answers to each question, with further queries and comments coming from the audience.
(1)What can a small business company, without a separate and dedicated IT department, and without a large budget to spent on security, do to provide cybersecurity?
(2) Just how insecure is it to use regular free email services? To go online with my laptop at WiFi hotspots located in airports or Starbucks?
(3) Do you need an expensive CISCO router instead of a normal home router (DLink, Netgear, etc) to protect yourself and your work in a home office?
(4) Is Phishing, and the misleading responses to such phishes and scams, the “weakest link” in the security for a network site?
(5) How secure (in the sense of preventing intruders) are firewalls? How many levels of authentication are the minimum needed, if there is such a general rule backed up by actual testing?
(6) After reviewing the latest online Kaspersky Lab blog report on the “#EquationTeam”, how can we know that any hard drives, including flash drives, do not have compromised firmware? (Are we at the mercy of unknown and unknowable hard drive malware?)
(7) As a Computer Science graduate who is looking to enter the Information Security work world, what is the best way to go about this?
(8) Are certificates like the CISSP as relevant as before, or are there better routes to qualification (as a Security Expert)?
(9) How do we convince people that they should care about encryption, without using scare tactics?
An interesting discussion ensued, all around the lecture hall. What can our IEE members take from this meeting? Given that we all have an understanding of the need for security of documents, discussions, plans, and personal privacy data, we gained insight into the means of providing such security. By reading the specific NIST document Appendix J that Mr Davis referred to, we can educate ourselves in depth about privacy controls. In turn, we can evaluate a security plan that an outside vendor might present for our engineering department / small engineering business. Such “Due Diligence” should let us get back to the work of engineering and having a productive business. After all, we do not want to spend our working times totally occupied with compliance lawyers.
We in the IEEE Foothill Section thank our speakers, Mike Davis and Bill Bonney, for coming to give our IEEE members and IEEE Student members a solid presentation on this important Cybersecurity topic.