Cybersecurity Concerns of Using TCP/IP in Avionics

Use of TCP/IP in aircrafts affords mobile office and leisure while in transit 

Wireless radio has been the preferred method of communication in the aviation’s from inception. Its quiet clear now that

 “new aircraft designs use TCP/IP technology for the main aircraft backbone, connecting flight-critical avionics and passenger information and entertainment systems”

Going on newer technologies of TCP/IP and domain servers, the whole infotainment scenario is posed for change as ideas have moved toward several suggestions such as use of TCP/IP in communication

 Transmission Control Protocol make use of full packet switching and the routing of datagrams in the IP protocol make the aviation communication the same way we have the everyday experience and use of computers (Video, Audi, Email access, remote control). However, use of these in the airplane industry give rise to several concerns.

Threats

 This change in technology adoption allows new attacks not previously possible to the aviation. Already implementations of TCP/IP are currently vulnerable to several issues and the threat is more acute now as the media is filled with reports of data vulnerability, cyberterrorist, internet fraud and criminal activities from hacking and network compromise.

It also calls to understand the modern threat space (including the capabilities, intentions, and targeting actions of adversaries) and develop resilient systems that should make the avionics a safer travelling space.

Agregates 

IT security has to identify and segregate critical assets in the airborne craft and apply security engineering for each department favouring operations and entertainment. Imagining a hacker infiltrating the avionic flight operations is disastrous in itself though as disastrous as having an unauthorised access to passenger information and accessibilities. But again technology progresses such as the concerns raised are in themselves a way forward,. Businesses complete reliance on technology and communication for their business critical functions give rise to well thought out cybersecurity and tougher systems. A need for more trustworthy and resilient systems.

Mobile Devices and Their Physical Security Risks

Enterprise Mobility

10 years ago I was seated in a café, next to a lady just finishing up some work, having concluded in the current session she powered down and flipped her laptop back screen and gave me a genre to have an eye on the mobile while she visited the café’s services. I quickly pointed to my friend next to me how easy it was to unscrew the HDD bay cover and a further 3 screws inside. An operation that could have taken me under a minute and I would have had the wealth of information from her HDD.

A security control will ensure while been mobile, been the need to connect to corporate while out of office, you are safeguarded from various security risks. Enterprise mobility is the trend toward a shift in work habits, with more employees working out of the office and using mobile devices and cloud services to perform business tasks ~ Tech Target

Security Controls

There are three general categories that security controls fall under; these categories are Physical, Technical, and Operational (or procedural) security controls.

Operational, sometimes called procedural, security is concerned with the creation and enforcement of policies, procedures, and also include guideline documents, such as the ones we usually sign when we join an organisation like theAcceptable Use Policy. The AUP given the scenario above may dictate that the company laptop or mobile device or data sessions must never be left unattended in a public place.

Humans being naturally naïve can be an easy target for security breach.

All it requires is to study the operational security of the company and use the operational understanding loopholes.

Luckily today, following up on the above scenario, hard drives and memories for security reasons are now located deeper inside the device with mobility characteristics. Data mobility access are more strict, Tablets are even harder to physically open. Users when not encouraged are enforced to implement password or patterns authentication that lock the screen few seconds away from a point of inactivity, sign up for policies that can remotely wipe the mobile device in the lost incidence.

Physical Security Concessions

While the physical and environmental security programs refer to numerous occasions we can limit ourselves to the devices with mobility. And these could be the various measures or controls that matter and will protect organisations’ information seating on the equipment. A loss of connectivity to the mobile processing caused by theft which may result in an unauthorised access and the subsequent threats and/or vulnerability. Intentional destruction by disgruntled employees, mechanical equipment failure while on-the-go. 

Therefore, physical security measures should be sufficient to deal with foreseeable threats and should be tested periodically for their effectiveness and functionality. Physical security of the on-the-go and data or device mobility is demandable as the devices will operate away from one station and point.

Each point of operation is a varying character posing a risk to security breach.

By all means limit the physical access to the data on the cloud and mobile device to reduce the security threat.

"It is important to remember the fact that no security app or set of guidelines can ensure total security for a mobile phone device. Even devices that are fully secure today may not be so tomorrow. Individuals who share or access sensitive information from a mobile phone device should keep this point in mind." Says  IT Security

Potential threats to cyber security? Outsourcing and/or Offshoring

A Tech Partnership demonstrating threat management analysis

In the past recent years, given 20 years and so, outsourcing has manifested itself has a business trend all over the world as more business turn to this tool with obvious choice to reduce costs. Hence the companies have seen numerous departments/functions that can be outsourced such as human resources, customer service and the company’s information technology functions. 

With the recent assenting to regard data/information as company assets outsourcing IT functions must be given a careful consideration as a riskier practice that must be carefully chosen if implemented. It can be safely argued with no doubt that offshoring or outsourcing some functions is a potential threat to the cybersecurity of of the system and organisation.

Outsourcing organisation’s functions poses a variety of security concerns. When an organisation outsources some functions the authorised number of access to company’s material, equipment and IT asset increases which in return increases the surface of a breach.

 Beginning with confidentiality and privacy through total loss of system control. When an organization outsources its functions to a third party, it loses its confidentiality because the information stored on computers is now accessible to a third party. A third party breach means a breach to the offshored organization. It means information stored for employees and clients is also breached. This is tickling down from the outsourcing to the offshoed and down to its employees and clients revealing a large potential area.

 Imagine the FBI outsourcing a private firm to install access controls, authentication and database maintenance. The outsourcing firm gains access to all of the information that passes through the FBI computer system. This information includes financial data, agent’s records, ongoing investigation, which if released, could place the FBI organization in a serious vulnerable position.

 Ultimately from the industries’ experience the controls imposed on suppliers will sadly be lacking compared with those imposed on internal capabilities.  And that is the soft underbelly that can expose a business to often difficult to manage cyber risk.

Says Computerweekly

 Image courtesy; Tech Partnership

Tips Of The Computer Security

Computer security, also known as cybersecurity or IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.  ~Wikipedia Definition

Cybersecurity field is of growing importance and concern due to the increasing reliance of computer systems and mobile devices in most societies, in health and by governments. Information seating on these computers is increasingly now considered to be an asset and most companies have now their CEOs and Directors playing a major role in giving direction in the custody and safety of company data and information. Here are a few cybersecurity tips to keep you online and safe;
You are an Asset and Potential Liability 

Underground world of malware has advanced so much that the user is the first surface attack. Drive-by malware is flourishing. Email attachments, websites visited must all be paid attention to as they are the potential sources of infection. On a typical week i have seen several company email attachments that a employee with no sensitization had clicked on, would have led to grave system compromise and infection.

Use Security Software That Updates Automatically

Criminals are constantly developing newer ways to bypass systems. Un-patched systems are vulnerable for an unauthorised entry into the system. Drive-by-attacks account for millions of compromises made on computers.

Treat Your Personal Information Like Cash

Your information on internet is hard cash to scammers. Depending on your browsing patterns scammers obtain details of your shopping ability, lifestyle and so on. This information is easily passed on to online retailers. Don't expose your personal information anyhow. Check what you need to offload and who it is you are doing it with.

Check Out Companies to Find Out Who You’re Really Dealing With
Sometimes when i receive a call and the operator seems to ask a lot of questions i promptly get on my laptop and check the concerned company. The search is usually rev-elating as it becomes a source for validating the person on the other end.

Give Personal Information Over Encrypted Websites Only

Determine whether the website traffic is encrypted as it moves from your computer especially when you are logged in to sensitive websites like banking, Paypal, eBay and the likes. Checking can easily be achieved by looking into the URL. If it begins with HTTPS the chances are you are secure to go.

Protect Your Passwords.

Avoid exposing your passwords. Create stronger passwords by;
1) Combining both caps, mixing symbols and a number
2) Create longer passwords. The longer it is the longer a brute force attack will take to succeed. Though minimum in most systems is 6 a 12 character password will be ideal.


e.g crazytechguys = cr@zyt3chguyS is simple to remember but tough to crack.

Back Up Your Files

This is a very important practise but often ignored. One of the systems that i look after was compromised by a malware changing the file extensions. After a few days of crackling i had to admit the failure to restore the affected excel files. I wished only i had backed up to a removable drive just for onece in the month