As you probably know from my previous posts, in 2022 I was honored to take part in The International Research & Innovation Forum, where I acted as both, as an author and presenter, panel organizer, session chair / panel moderator, and PC committee. What is more, I even was recognized as the best Best panel moderator award (you can read the post I dedicated to this experience here). Today, I am glad to reflect on the paper – Data Security as a Top Priority in the Digital World: Preserve Data Value by Being Proactive and Thinking Security First – I presented during this conference, which was just published by Springer as part of Part of the Springer Proceedings in Complexity book series (SPCOM).
Today, in the age of information and Industry 4.0, billions of data sources, including but not limited to interconnected devices (sensors, monitoring devices) forming Cyber-Physical Systems (CPS) and the Internet of Things (IoT) ecosystem, continuously generate, collect, process, and exchange data1. With the rapid increase in the number of devices (smart objects or “things”, e.g., smartphones, smartwatches, intelligent vehicles etc.) and information systems in use, the amount of data is increasing. Moreover, due to the digitization and variety of data being continuously produced and processed with a reference to Big Data, their value, is also growing and as a result, the risk of security breaches and data leaks, including but not limited to users’ privacy 2. The value of data, however, is dependent on several factors, where data quality and data security that can affect the data quality if the data are accessed and corrupted, are the most vital. Data serve as the basis for decision-making, input for models, forecasts, simulations etc., which can be of high strategical and commercial / business value.
This has become even more relevant in terms of COVID-19 pandemic, when in addition to affecting the health, lives, and lifestyle of billions of citizens globally, making it even more digitized, i.e., the digital environment has replaced the physical, thus it has had a significant impact on business3. This is especially the case because of challenges companies have faced in maintaining business continuity in this so-called “new normal”. However, in addition to those cybersecurity threats that are caused by changes directly related to the pandemic and its consequences, many previously known threats have become even more desirable targets for intruders, hackers. Every year millions of personal records become available online4, 5, 6.
Lallie et al. have compiled statistics on the current state of cybersecurity horizon during the pandemic, which clearly indicate a significant increase of such. As an example, Shi reported a 600% increase in phishing attacks in March 2020, just a few months after the start of the pandemic, when some countries were not even affected.
Miles, however, reported that in 2021, there was a record-breaking number of data compromises, where “the number of data compromises was up more than 68% when compared to 2020”, when LinkedIn was the most exploited brand in phishing attacks, followed by DHL, Google, Microsoft, FedEx, WhatsApp, Amazon, Maersk, AliExpress and Apple.
Recent research7,8,9,10,11 demonstrated that weak data and database protection in particular is one of the key security threats. This poses a serious security risk, especially in the light of the popularity of search engines for Internet connected devices, also known as Internet of Things Search Engines (IoTSE), Internet of Everything (IoE) or Open Source Intelligence (OSINT) Search Engines such as Shodan, Censys, ZoomEye, BinaryEdge, Hunter, Greynoise, Shodan, Censys, IoTCrawler. While these tools may represent a security risk, they provide many positive and security-enhancing opportunities. They provide an overview on network security, i.e., devices connected to the Internet within the company, are useful for market research and adapting business strategies, allow to track the growing number of smart devices representing the IoT world, tracking ransomware – the number and nature of devices affected by it, and therefore allow to determine the appropriate actions to protect yourself in the light of current trends. However, almost every of these white hat-oriented objectives can be exploited by black-hatters. The popularity of IoTSE decreased a level of complexity of searching for connected devices on the internet and easy access even for novices due to the widespread popularity of step-by-step guides on how to use IoT search engine to find and gain access if insufficiently protected to webcams, routers, databases and in particular non-relational (NoSQL) databases, and other more «exotic» artifacts such as power plants, wind turbines or refrigerators. They provide service- and country- wised exposure dashboards, TOP vulnerabilities according to CVE, statistics about the authentication status, Heartbleed, BlueKeep – a vulnerability revealed in Microsoft’s Remote Desktop Protocol that has become even more widely used during pandemics, port usage and the number of already compromised databases. Some of these data play a significant role for experienced and skilled attackers, making these activities even less resource-consuming by providing an overview of the ports to be used to increase the likelihood of faster access to the artifact etc.
According to Risk Based Security Monthly Newsletter, 73 million records were exposed in March 2022, and 358 vulnerabilities were identified as having a public exploit that had not yet been provided with CVE IDs. And while 2021 Year End Report Vulnerability by Risk based security & Flashpoint suggests that vulnerability landscape is returning to normal, there is another trigger closely related to cybersecurity that is now affecting the world – geopolitical upheaval.
In the past, vulnerability databases such as CVE Details were considered useful resources for monitoring the security level of a product being used. Indeed, CVE registry refers to several vulnerabilities they divide into 13 types: (1) bypass something, e.g., restriction, (2) cross-site scripting known as XSS, (3) denial of service (DoS), (4) directory traversal, (5) code execution (arbitrary code on vulnerable system), (6) gain privileges, (7) HTTP response splitting, (8) memory corruption, (9) gain / obtain information, (10) overflow, (11) cross site request forgery (CSRF), (12) file inclusion, (13) SQL injection. However, they are static and refer to very common vulnerabilities in the product being registered when a vulnerability is detected. Advances in ICT, including the power of the IoTSE, require the use of more advanced techniques for this purpose.
While security breaches and different security protection mechanisms have been widely covered in the literature, the concept of a “primitive” artifact such as data management system seems to have been more neglected by researchers and practitioners. But are data management systems always protected by default? Previous research and regular updates on data leakages suggest that the number and nature of these vulnerabilities are high. It also refers to little or no DBMS protection, especially in case of NoSQL, which are thus vulnerable to attacks. The aim of this paper is to examine whether “traditional” vulnerability registries provide a sufficiently comprehensive view of DBMS security, or they should be intensively and dynamically inspected by DBMS owners by referring to Internet of Things Search Engines moving towards a sustainable and resilient digitized environment.
The aim of this paper is to examine both current data security research and to analyse whether “traditional” vulnerability registries provide a sufficient insight on DBMS security, or they should be rather inspected by using IoTSE-based and respective passive testing, or dynamically inspected by DBMS holders conducting an active testing. The paper brings attention to this problem and makes the reader think about data security before looking for and introducing more advanced security and protection mechanisms, which, in the absence of the above, may bring no value. As regards the IoTSE tool, this study refers to Shodan- and Binary Edge- based vulnerable open data sources detection tool – ShoBeVODSDT – proposed by Daskevics and Nikiforova (2021).
This study provided a brief insight of the current state of data security provided by CVE Details – the most widely known vulnerability registry, considering 13 databases. Although the idea of CVE Details is appealing, i.e., it supports stakeholder engagement, where each person or organization can submit a report about a detected vulnerability in the product, it is obviously not sufficiently comprehensive. It can be used to monitor the current state of vulnerabilities, but this static approach, which sometimes provides incomplete or inconsistent information even about revealed vulnerabilities, must be complemented by other more dynamic solutions. This includes not only the use of IoTSE-based tools, which, while providing valuable insight into unprotected databases seen or even accessible from outside the organization, are also insufficient.
The paper shows an obvious reality, which, however, is not always visible to the company. In other words, while this may seem surprisingly in light of current advances, the first step that still needs to be taken thinking about date security is to make sure that the database uses the basic security features: authentication, access control, authorization, auditing, data encryption and network security12,13,14. Ignorance or non-awareness can have serious consequences leading to data leakages if these vulnerabilities are exploited. Data security and appropriate database configuration is not only about NoSQL, which is typically considered to be much less secured, but also about RDBMS. This study has shown that RDBMS are also relatively inferior to various types of vulnerabilities. Moreover, there is no “secure by design” database, which is not surprising since absolute security is known to be impossible. However, this does not mean that actions should not be taken to improve it. More precisely, it should be a continuous process consisting of a set of interrelated steps, sometimes referred to as “reveal-prioritize-remediate”. It should be noted that 85% of breaches in 2021 were due to a human factor, with social engineering recognized as the most popular pattern 15. The reason for this is that even in the case of highly developed and mature data and system protection mechanism (e.g., IDS), the human factor remains very difficult to control. Therefore, education and training of system users regarding digital literacy, as well as the definition, implementation and maintaining security policies and risk management strategy, must complement technical advances.
Sounds interesting? Read the paper here -> Nikiforova, A. (2023, March). Data security as a top priority in the digital world: preserve data value by being proactive and thinking security first. In Research and Innovation Forum 2022: Rupture, Resilience and Recovery in the Post-Covid World (pp. 3-15). Cham: Springer International Publishing. If you cannot access the full-text, read the pre-print version here.
Nikiforova, A., Daskevics, A., & Azeroual, O. (2023). NoSQL Security: Can My Data-driven Decision-making Be Influenced from Outside?. In Big Data and Decision-Making: Applications and Uses in the Public and Private Sector (pp. 59-73). Emerald Publishing Limited.
Daskevics, A., & Nikiforova, A. (2021, November). ShoBeVODSDT: Shodan and Binary Edge based vulnerable open data sources detection tool or what Internet of Things Search Engines know about you. In 2021 Second International Conference on Intelligent Data Science Technologies and Applications (IDSTA) (pp. 38-45). IEEE.
Daskevics, A., & Nikiforova, A. (2021, December). IoTSE-based open database vulnerability inspection in three Baltic countries: ShoBEVODSDT sees you. In 2021 8th International Conference on Internet of Things: Systems, Management and Security (IOTSMS) (pp. 1-8). IEEE.