Education

As a security consultancy firm, our job is to provide guidance on security best practices to facilitate the protection of privacy and data for all the clients we serve. We believe strong encryption should be a global effort for national security, personal security and privacy, and free expression. In particular, the use of end-to-end encryption is currently what keeps our information assets secure across the web. For those who are not familiar with end-to-end encryption and why it is important in all aspects of security, here’s a great video resource https://www.youtube.com/watch?v=ADg7x2Buw0s

To extend our effort in advocating strong encryption adoption, we would like to vocalize our membership in the Global Encryption Coalition community. As stated by Global Encryption Coalition, “several governments and law enforcement agencies are trying to ban or weaken encryption for everyone”. The premise is that “They (the governments) want to require companies using encryption to create backdoors to catch criminals or wrongdoers”. We believe in a global movement to strengthen and preserve the use of strong encryption. As part of a global coalition, the movement calls on governments and the private sector to reject efforts to undermine encryption and to pursue policies with the adoption of strong encryption.

While members of the Global Encryption Coalition recognize crime prevention as a universal priority, undermining encryption efforts would also mean greater threats in the global economy and at the expense of users’ security privacy.

As Edward Snowden once said, “If you weaken encryption, people will die. This year alone, after the fall of the government of Afghanistan, we saw how crucial encryption is in keeping ordinary people safe. … Encryption makes us all safer. From families protecting photographs of their kids, to personal healthcare information, encryption keeps our private information private”.

The current trend of technical measures proposed to “break” end-to-end encryption all have one thing in common: each of them involves creating a form of “backdoor access” to “moderate” the data sent. The opportunities for misuse of such “backdoors” can be disastrous.

What this means for Canadians

The ruling by the Supreme Court of Canada stated that speech, including controversial or repugnant speech, has social value and should be protected from unjustified state monitoring. We did see attempts, despite criticism, from the government to enact “online harm laws” to restrict yet-to-be-defined “hurtful” online content, with the targeted categories in terrorist content, content that incites violence, hate speech, intimate images shared non-consensually, and child sexual exploitation content. What Canadians need to know is that such law will require internet giants and platforms utilizing end-to-end encryption to inspect all online content traversing. This also means communication between anyone, including privileged communications between physicians and their clients, will need to be examined by “breaking” encryption and thus undermining personal security and privacy. Canadians and businesses need to be aware of how ongoing privacy and security laws relate to the security of their personal data and any client data housed.

While cyber security is a broad discipline and requires collaboration between all stakeholders, we would like to highlight the importance of strong encryption usage in all sectors of business and the user data housed. We recommend reading this article published by the Global Encryption Coalition, where it highlights the security impact of “breaking” end-to-end encryption. You can find the article at this link – https://www.globalencryption.org/2020/11/breaking-encryption-myths/

It was a great privilege to part of this group and lead the discussion. While our discussion was only the beginning, organizations have to wake up to the fact that they are under attack for IP they have or have access to. While they might not be able to see this impact everyday it does exist and the attack surface can be devices or relationship based. As a business executive, educate yourself on how your organization might be targeted and what mitigations you can put in place to minimize the attack surface. Training and awareness for your staff, will be at the core of any program you develop. If you were unable to make the recent Internet Society – Canada Chapter Webinar here are some further details that might be of interest.

Here is the list  our distinguished panelist:

Gentry Lane – CEO and Founder, ANOVA Intelligence
Tyson Macaulay – Chief Security Officer and VP of Field Engineering @ Rockport Networks
Jeremy Depow – Director, Policy and Stakeholder Relations CyberNB
Mary Anne – Intelligence Officer, Canadian Security Intelligence Agency (CSIS)

Here is the link the video:

Protecting Innovative Canadian Sectors from Foreign Threats

I have also included links to resources provided by Gentry Lane, CEO & Founder, Anova Intelligence.

https://admin.govexec.com/media/diux_chinatechnologytransferstudy_jan_2018_(1).pdf

https://www.hsdl.org/?view&did=812268

China’s National Cybersecurity Center

For anyone who is part of a startup or even considering one, this book is a must read:

https://startupsecure.io/

Note: This blog was written by Marc C. a recent co-op student with us this summer. We were very fortunate to have such a great student and future cyber security profession on our team. His “report” below just shows the potential we have in our youth for cyber today. It was great having you on our team Marc. We wish you great success in your future studies and cyber education (which will be life long).

As a 16-year-old high school student from Immaculata High School, this summer I had the opportunity to do an internship with a cybersecurity company called TwelveDot. This amazing opportunity has been a great learning experience for me. I was able to explore a professional environment while engaging in technical projects at the company.

The project that I worked on consisted of making a proof of concept that could be used to demonstrate common vulnerabilities in embedded devices and ways deployed IoT devices can be exploited. Using a microcontroller and a Lego Mindstorms wind turbine, I built a network with the microcontroller using the MQTT architecture. The microcontroller would then be used to control the wind turbine over the network, just like how a real-life deployment would be.

To kickstart the project, I started by learning about the different hardware pieces required, and how the microcontroller can be used. In particular, I looked at the Onion Omega Pro 2, which is a microcontroller with the capacity to be connected over a network and is used for many purposes, including IoT deployment. With the help of Bryan, a technical security analyst, I found a way to control the Lego with the microcontroller using logical signals. During development, we decided this project needs to be as realistic to real-world deployments as possible, so not only this meant considering the network piece and how it’d translate to code, but it also meant understanding realistic configuration parameters and incorporating those into the model. Since this meant a lot of testing, much debugging also took place. While testing, we identified many bugs, so Bryan and I had to change certain parts of our code.

 

Figure 1: Marc and his project (love the t-shirt, it just says it all)

Once the testing was done, we did a demo to showcase the architecture and the different vulnerabilities the model is subjected to. This includes different types of attacks such as information disclosure, man-in-the-middle, or a DoS attack.

Overall, this project was exciting but challenging. Throughout my co-op journey, I ran through many obstacles which made me quite uncomfortable due to my lack of experience. Fortunately, at TwelveDot I had support from Faud, my supervisor, and my colleague Bryan.  At first, I had trouble connecting the Lego piece to the microcontroller board to allow the Lego piece to be controlled logically. With the help of my team, Faud and Bryan, we discovered we needed additional hardware components like the h-bridge circuit driver and a voltage set-up. This experience made me realized how useful the internet is in helping us troubleshoot technical issues.

 

 

Figure 2: Marc and Bryan after the final demo

Debugging and testing the various aspects of the project was the most demanding for me, but it was also the most important for me since testing is often necessary for the unexpected. For example, I had some troubles since I was not used to some of the technologies used, but my colleague Bryan walked me through the debugging and testing needed to troubleshoot the network and hardware pieces. After this experience, I understood a lot more in the field of hardware engineering and cybersecurity. During testing or debugging, we can sometimes run into bugs that can make us change the model or the blueprint of the project. For example, we had to refactor the code to object-oriented to accompany new features. One other valuable lesson for me was the need to consider the safety of the end-product, as it relates to electric power, and incorporating that into the testing phases as well as the codebase.

Overall, working on this project was an amazing experience. It gave me exposure to coding, working with electronics, and exploring how vulnerabilities can turn into exploits. This has allowed me to be more familiar with Python, Linux, JSON, MQTT, Hardware Engineering, SSH, and Computer Networking. I learned that sometimes it can get frustrating when you get stuck on a problem, but it also made me realizes the tools, resources, and the people who could help me get work towards the end goal. A huge thank you to the TwelveDot team for this valuable learning experience!

Continuing on from our observations from Day 1, we noted several key points at the ETSI annual conference relating to cybersecurity policies.

Some future plans for standards and certifications under CSA include future candidate schemes in areas of IoT and IACS (industrial automation control system). As ENISA develops a candidate scheme for 5G network, several items need to be considered. One is the 5G context. This concerns what subset of 5G architecture, for the certification to be applied. Another is identifying scheme elements that support 5G evaluation and certification. Currently, we can expect a draft version of the NIS Directive v2 soon. Interestingly, the new directive introduces responsibilities for ENISA to be more involved in standardization. In response, ENISA developed its strategic objectives to maintain an inventory of standardization organizations and their activities and products. The goal is to then act as a cybersecurity reference point for the EU and participate in relevant standardization actives.

In the context of EU5G, the Network Equipment Security Assurance Scheme was submitted to ENISA for EU adoption. NESAS seeks to provide a security baseline for network equipment in the scope of mobile infrastructure. In particular, NESAS looks at if the equipment is developed to meet secure by design guidelines and does satisfy defined security requirements. Although NESAS is not a certification scheme, GSMA is currently looking at how certification components can be added.

We are also seeing some trends of transitioning from current schemes to CSA schemes. ANSSI is looking to provide EU-wide recognition for certified products and services. One example is ANSSI seeking to provide equivalent services of EUCS to the market. This may be achieved by leveraging consistency such as CSA levels, resistance tests, and applicable EU legislation.

A framework for European cybersecurity assessment (conformity) was proposed. The goal is to increase involvement and transparency to every member state, even those not offering certification or heavily involved in conformity assessment. The agreed new approach would then push for a horizontal regulation on cybersecurity (i.e. – it will capture all cybersecurity needs during vertical regulations to avoid fragmented conformant assessment across industries.

For SMEs, the SBS SME Compatibility Test for Standards was piloted. It provides an overall perception of SME compatibility of a given standard. As SMEs are essential parts of the supply chain, this may be a necessary starting point for improving standards.

Some updates on RED (Radio Equipment Directive) are the proposed applicable requirements. One interesting update is the essential requirements in article 3(3). Currently, Q3 2021 is the expected Commission adoption of a delegated act under Article 3(3)(d/e/f) of RED. This came from the Commission’s consideration of mandatory requirements to be proposed for market access of certain wireless products. For manufactures, this means they will need to demonstrate features to ensure protection of networks, privacy and data protection, and/or protection from frauds as conditions for market access.

The RED Article 3(3)(i) is the proposed next step after RED 3(3)(d/e/f). It concerns the software for the radio equipment. Currently, ETSI had developed a solution proposal on how to test for the new requirements and communicated it to the Commission.

The topic of cybersecurity policy presented challenges in standardizations. In which, we’d like to highlight that all schemes and legislation must provide some improvements to baseline security. Parallel schemes do not necessarily de-value, rather it is important that any parallel schemes will then allow manufactures to submit evidence transferred from 1 of the overlapping schemes to prove compliance.

At the recent ETSI annual conference, several cybersecurity domains were discussed. In this article, we’ll look at the latest development in IoT.

With the increasing adoption of 5G technology, the European Commission had requested ENISA to develop a candidate European Cybersecurity Certification scheme for 5G network. The EU 5G will be an extension of the EU toolbox for 5G security as it seeks to address certain risks, as part of a broader risk mitigation strategy. While ENISA is still processing both ECUU and ECUS schemes, we can expect the finalized version of ECUS in Q4 2021.

As the European Commission and Cybersecurity Group under the CSA start the discussion on a candidate for a cybersecurity certification scheme for connected devices, we can expect such scheme will be aligned to EU legislative frameworks and other European Cybersecurity Certification Schemes. In the EU, it’d be consistent with EU Cybersecurity Certification Schemes such as the European Common Criteria Scheme and the European Cloud Services Cybersecurity Certification Scheme. We believe combining multiple schemes may provide a holistic approach to certification. For example, using the IoT scheme for products and the EUCS scheme for supporting services may complement the standalone IoT scheme approach. As of now, we are expecting the URWP for European Cybersecurity Certification to be published in Q3 2021 where we can then understand how the European Commission would issue the request to the EU Cybersecurity Agency. Right now, we know the scope for such scheme will capture IoT devices in residential, industrial, and any other settings. The assurance levels will be the same three levels provided under the CSA. As the European Commission emphasizes the need for standardization, standards development in EU member states and internationally will need to be integrated into the EU Cybersecurity Certification Scheme for IoT.

We are also seeing exciting updates to EN303 645. EN provides a common baseline across the European and global markets for all consumer IoT. Currently, the focus for Q2 2021 is on developing assessment specifications (TS 103 701) to test against provisions of EN303 645. As this standard matures, we can expect alignment to standards and legislation under development for IoT.

General cybersecurity assessment frameworks often serve as a horizontal solution; however, to cover the general assurance requirements (such as assurance levels defined by the CSA) and to the specific field of application such as IoT, some guidance is provided on how to integrate EN17640 into a certification scheme. EN 17640 as a general evaluation methodology that when integrated into a certification scheme to fit the scheme assurance requirements, it raises some interesting questions. One is the extent of assessments required for each level. Currently, dEN 17640 editors and CEN/CLC JTC 13/WG 3 are working to publish this standard in September of 2021. Interesting to note is the future outlook of possible application in the Radio Equipment Directive Certification scheme.

The GCF also had some interesting updates on its Consumer IoT Security Accreditation programme based on EN303 645. Currently, its phase 1 provides self-accreditation for non-constrained devices. This involves the manufactures submitting a security compliance declaration covering the first 3 IoT Security Provisions defined by ETSI Cyber (EN 303 645). We are expecting development work for phase 2 to focus on extending assessment coverage to include constrained IoT and using TS 103 701 Test Specification as a baseline for conformity assessment to EN 303 645. For now, product manufactures should make sure no universal default passwords are used, implement a way to manage reports of vulnerabilities, and keep software updated for phase 1.

Another aspect of EN303 645 adoption is from the Cybersecurity Labelling Scheme from CSA Singapore. This scheme consists of 4 tiers. Although participation is voluntary, security-critical devices such as Wi-Fi routers will obtain at least tier 1 in Singapore. As more nations launch their schemes, we have to more mindful of fragmentations. For this particular scheme, it is done by leveraging EN303 645 and TS103701 for tier 4 testing.

Our observation was the importance of the collaborative effort in developing mutually recognized standards. For product manufactures in the global market, this provides value in that manufacturers do not have to choose which standard to be compliant for to operate in many jurisdictions.

Over the past few months, we have been working with the Chang School at Ryerson to develop a one day seminar on cyber security. The goal is to get more executives and board members comfortable talking about security and ensuring they have strong security strategies regardless of sector. The staff at Ryerson have been great at supporting our ideas and concepts and are helping this course become a reality. From an educational perspective, these are the key aspects that will be discuss during the session:

  1. Principles of a Cyber Security Strategy
  2. A Case Study
  3. Implementing a Risk Management Process
  4. Preparing for a Breach including a drafting a Breach and Cyber Security Playbook

There will be lots of open discussions and examples on these topics and you can pick my brain on these issues specific to your company or sector. I am looking forward to spending the day exchanging, learning and sharing. Bring your questions and problems and I hope to see you on Sept.24th. More details to the course and registration are located here http://ow.ly/QeiK2.

 

Faud Khan