Billions of physical devices are connected to the internet (Radomirovic, 2010). These devices are collecting and sharing by using internet of Things, or IoT. Anything can be turned into a part of the IoT with the help of processors and wireless networks. IoT adds digital intelligence to devices that makes them to communicate without the help of a human being, and hence made possible to merge the digital and physical worlds (PurpleSyntax, 2018). Everyday objects can be made ‘smart’ by adding sensors and communication interfaces to them. Here the word ‘smart’ means the objects are able to communicate required information of their surroundings (Sklavos & Zaharakis, 2016)
Gigantic Corporation is an information and technology organization. It manufactures variety of software’s and hardware’s that facilitates its users many telecommunication services. Organization is facing various IT risks like security threats, data breach and other cyber-crimes (Carr, 2016).
Gigantic Corporation is an IT organization and I work here as an IT Risk Assessment lead consultant. The main roles of an IT risk consultant are to develop risk policies for the company, assist in risk analysis, developing risk management practices, to maintain threats to the information security and improve security systems so that users can secure their private information.
There are various information technologies used by Gigantic Corporation, for example, the Internet of thing, wireless networks, cloud computing, network protocols, and information technologies (Chakhchoukh, & Ishii, 2015). By using all these technologies, gigantic corporation is providing communication services to many companies and consumers.
As the use of electronic data processing is increasing in gigantic organization, securing information and privacy of IoT has become major issue today (T.K & Jebakumar, 2018). Westin defined information privacy in 1968 as “the right to select what personal information about me is known to what people”. This report will cover threats and risk to Internet of Things or IoT in the gigantic organization and how the organization adopt different methods to reduce IoT risk for the gigantic organization. This organization can ensure IoT security with four corner stones and these are Protecting Communications, Protecting Devices, Managing Devices and Understanding your System (Symantec, 2016). Privacy of the organization’s confidential data can also be assured by cryptography, awareness of privacy risks, control over the collection and processing of the information by individual and by data minimization (Aleisa & Renaud, 2016).
IoT regarding technologies and features are evolving very fast and also the ways of interaction with the IoT are evolving. Some of the risks of IoT include extended downtime, physical harm to people, and equipment damages such of pipelines, power generation facilities and blast furnaces (Beta.complyscore, 2016). IoT and these kinds of facilities have been attacked several times and materially damaged. Hence security has become the most important need for the one who is making and functioning IoT devices and systems (Symantec, 2016). Some of the security requirements on IoT are (Deogirikar & Vidhate, 2017):
Evolution in IoT technologies and its features leads several privacy threats and challenges (Alsaadi & Tubaishat, 2015). Classification of these threats can be understood from our reference model where these are most likely to appear.
Figure: Threats in the Reference Model
(Source: Ziegeldorf, Morchon, & Wehrle, 2013)
From the reference model it is seen there are seven threat categories:
Association of an identifier denotes the Identification threat, e.g. association of a name and address with an individual. Association of a particular identity to a particular privacy breaching context defines a threat, and in addition it leads to several other threats also, e.g. combination of different data sources or profiling and tracking (Ziegeldorf, Morchon, & Wehrle, 2013). Gigantic Corporation facing identification threat, as large number of gigantic employee’s identity is associated with other co-workers. Backend services of our reference model concentrate the large amount of information and the information processing phase has the most chances of threat of identification.
It is a kind of threat which determines and records the location of a person through time and space. Gigantic company has threat of localisation and tracking as the hackers track the information about location of the company’s important meetings and thus services can be targeted in specific location and particular time (Kozlov, Veijalainen, & Ali, 2012). To track ones location it requires binding identification of some kind to continuous localization of individual (Aleisa & Renaud, 2016). There are different means of tracking today, e.g. GPS, internet traffic or mobile phone location. There are many threats identified related to this threat which leads to privacy violation, e.g. GPS stalking (Ziegeldorf, Morchon, & Wehrle, 2013). Localisation and tracking threats mainly occur in the phase of information processing, where location of the subject is traced without his concern.
Profiling refers the threat of collecting information of individual in order to conclude interests by correlation with other data and profiles. Gigantic company is facing profiling issues as the employees can be targeted specifically. In e-commerce profiling method is mostly used for personalization. Profiling is also used for internal optimization depending on interest of customer and demographics (Ziegeldorf, Morchon, & Wehrle, 2013). Examples of profiling which leads to privacy violation are unsolicited advertisements, price discrimination, erroneous automatic decisions and social engineering. Profiling threats mainly occurs in the dissemination phase.
This threat refers that personal information is conveyed through a common medium and during this process information is disclosed to the unwelcomed audience. IoT applications like transportation, healthcare and smart retail needs interaction with user. Smart things like speakers, advanced lighting installations and video screens are used to provide information to the users. Users control these smart things by new intuitive ways like by touching, moving and speaking to smart things (Ziegeldorf, Morchon, & Wehrle, 2013). These interaction mechanisms are public; hence gigantic company’s information and private data is on threat, anyone in the vicinity can observe them. Hence when personal information is exchanged between the user and the system, this becomes a threat to the privacy (Aleisa & Renaud, 2016).
During changes of control spheres in lifecycle of smart things privacy is threatened as it discloses private information. Stored information and collected data in smart things are main reason behind privacy violation from lifecycle transitions (Aleisa & Renaud, 2016). Lifecycle threat is mainly related to the information collection phase of the reference model. Gigantic company devices are sold and disposed of when they became out of use. It is assumed that all the data is deleted but devices store a lot of information of their history throughout their entire lifecycle.
Unauthorized collection of information of personal things and data is known as Inventory attack (Aleisa & Renaud, 2016). Hackers use inventory data to access Gigantic Company’s confidential data and safe time to break in.
This threat comes when previously separated different systems are linked. It gets to know from combination of data sources that the subject was not disclosed to the previously isolated sources. When data collected from different sources under different circumstances and permissions is combined users fear inferior judgement and loss of context (Weber, 2010).
In order to preserve privacy within the organization and security of end-users and service providers, As an IT consultant I suggest, Gigantic Corporation should incorporate these privacy policies to provide better security and to protect the company from various above mentioned threats. Below is the list of privacy preserving solutions (Aleisa & Renaud, 2016):
Apart from above mentioned solutions, there are other solutions also. These are mentioned below:
IoT systems are highly complex and requires end-to-end security that covers both cloud and connectivity layers. There is need of strong security solutions otherwise attackers simply use weakest link to exploit the security walls of the organization. Gigantic corporation systems drive and handle data from IoT systems. There is need of additional and unique security solutions for IoT systems. Security for IoT systems can be covered with four important cornerstones. By combining these four security cornerstones, robust and easy-to-deploy security architectures can be formed. This security architecture will help in lessen majority of security threats to the Internet of Things (Symantec, 2016).
As mentioned there are four major security constraints:
There are three fundamental terms that define a meaningful security: Encryption, Authentication and Key-management. Key management techniques used by gigantic corporation for IoT are still not safe. A “trust model” is available to protect billions of transactions. This “trust model” helps in authenticating systems of other companies by their systems and this starts a communication that is encrypted, with those systems (Banerjee, Dong, Taghizadeh, & Biswas, 2014). Accepting a data that is not verified can be dangerous to the company. This kind of data can corrupt the device, and some malicious party would get control of the device. Therefore a strong authentication is needed to restrict such threats. Elliptic Curve Cryptography is ten times faster and more efficient than traditional encryption process and does not compromise on security of IoT (Symantec, 2016).
Each device boots and runs some kind of code whenever it is powered up. Here it is necessary to ensure that device do whatever programmed to do that. Therefore, to protect a device it is the first step to make sure the device boots and runs a code that we want it running. OpenSSL libraries are available to check the signatures of the code, and accepts code only if it comes from an authorized source. To ensure that the code is not tampered after being signed, code signing cryptographically is used, and this is done at the application and firmware levels. To protect the devices there are some rules of accepting data and these are, “never trust unsigned code”, “never trust unsigned data” and “do not ever trust unsigned configuration data” (Symantec, 2016). For gigantic corporation the main challenge is ‘managing the keys’ and ‘controlling access to the keys’.
To manage software and firmware inventories on each device as well as for device configuration, there are strong standards for that. It requires managing configuration of host-based security technologies for managing security for each device. OTA updates of security content are needed for some security technologies. On the other hand, some security technologies depend only on policy based mechanisms. Policy based security technologies need updates only when the software is re-imaged on a device for purposes like adding functionality. On each device security components are not the alone components that needs be managed securely and safely. Data generated by sensors of most of the devices is needed to be collected and transmitted safely and securely for storage at a safe and secure place. To manage devices, IoT systems are provided with update capabilities built into them from the starting. Chances of threats and vulnerabilities increases if the devices are not provided with OTA updates built into them (Symantec, 2016).
Today, most of the IoT technologies and systems are considered as “intranets of things.” A device should be trusted or not depend on “Directory of Things.” This directory tracks security information of each device and IoT system. It also helps in managing permissions that devices and systems grant each other. These directories also helps in the discovery of devices as more and more IoT device are increasing. Because of these directories it have become possible to find the remote devices quickly. Details of the devices along with its capabilities and reputation are listed in this directory (Symantec, 2016).
Conclusion
As discussed above, IoT is connecting billions of devices to the internet which collects and shares data. It has become possible to communicate with the help of IoT without any human being. But as we said above there are various threats to Internet of Things. Digital devices used in the gigantic corporation are also connected with internet of things and these are also prone to various attacks and threats. Security systems used in the organization are not enough to secure the devices from these attacks. Privacy is also important while communicating with IoT. Several of privacy threats, security issues are discussed above (Ziegeldorf, Morchon, & Wehrle, 2013). This report elaborates a simple and effective architecture for IoT security and privacy threats and also discussed about privacy preserving policies for IoT needed in gigantic company.
References
Abdmeziem, M. M. R. (2016). Data confidentiality in the internet of things (Doctoral dissertation, Université des Sciences et de la Technologie Houari Boumediène).
Abdul-Ghani, H. A., Konstantas, D., & Mahyoub, M. (2018). A Comprehensive IoT Attacks Survey based on a Building-blocked Reference Model. International Journal of Advanced Computer Science and Applications, 9(3), 355-373.
Abomhara, M., & Køien, G. M. (2014, May). Security and privacy in the Internet of Things: Current status and open issues. In Privacy and Security in Mobile Systems (PRISMS), 2014 International Conference on (pp. 1-8). IEEE.
Aleisa, N., & Renaud, K. (2016). Privacy of the Internet of Things: A Systematic Literature Review (Extended Discussion). arXiv preprint arXiv:1611.03340.
Alsaadi, E., & Tubaishat, A. (2015). Internet of Things: Features, Challenges, and Vulnerabilities. International Journal of Advanced Computer Science and Information Technology, 4(1), 1-13.
Banerjee, D., Dong, B., Taghizadeh, M., & Biswas, S. (2014). Privacy-preserving channel access for internet of things. IEEE internet of things journal, 1(5), 430-445.
Beta.complyscore, (2016). Art of IoT Security. Retrieved from: https://beta.complyscore.com/wp-content/uploads/2016/03/IOT_Workshop_Flyer.pdf
Deogirikar, J., & Vidhate, A. (2017, February). Security attacks in IoT: a survey. In I-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC), 2017 International Conference on (pp. 32-37). IEEE.
Husamuddin, M., & Qayyum, M. (2017, March). Internet of Things: A study on security and privacy threats. In Anti-Cyber Crimes (ICACC), 2017 2nd International Conference on (pp. 93-97). IEEE.
Kozlov, D., Veijalainen, J., & Ali, Y. (2012, February). Security and privacy threats in IoT architectures. In Proceedings of the 7th International Conference on Body Area Networks (pp. 256-262). ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering).
PurpleSyntax, (2018). The Beginners Guide to The Internet of Things. Retrieved from: https://www.purplesyntax.com/blog/The_Beginners_Guide_to
Rachid, S., Challal, Y., & Nadjia, B. (2015, November). Internet of things context-aware privacy architecture. In Computer Systems and Applications (AICCSA), 2015 IEEE/ACS 12th International Conference of (pp. 1-2). IEEE.
Radomirovic, S. (2010, December). Towards a Model for Security and Privacy in the Internet of Things. In Proc. First Int’l Workshop on Security of the Internet of Things.
Sklavos, N., & Zaharakis, I. D. (2016, November). Cryptography and Security in Internet of Things (IoTs): Models, Schemes, and Implementations. In New Technologies, Mobility and Security (NTMS), 2016 8th IFIP International Conference on (pp. 1-2). IEEE.
Skarmeta, A. F., Hernandez-Ramos, J. L., & Moreno, M. V. (2014, March). A decentralized approach for security and privacy challenges in the internet of things. In Internet of Things (WF-IoT), 2014 IEEE World Forum on (pp. 67-72). IEEE.
Symantec. (2016). An Internet of Things Reference Architecture. Retrieved from: https://www.symantec.com/content/dam/symantec/docs/white-papers/iot-security-reference-architecture-en.pdf
T.K, A., & Jebakumar, R. (2018). Security & privacy in IoT Data Provenance. International Journal of Engineering and Technology, 10(3), 843-847.
Weber, R. H. (2010). Internet of Things–New security and privacy challenges. Computer law & security review, 26(1), 23-30.
Westin, A. F. (1968). Privacy and freedom. Washington and Lee Law Review, 25(1), 166.
Ziegeldorf, J. H., Morchon, O. G., & Wehrle, K. (2014). Privacy in the Internet of Things: threats and challenges. Security and Communication Networks, 7(12), 2728-2742.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download