Current Access Control Technology

This week in class we covered access controls and their use in companies to further secure data for special access. In the lab, we had to use these controls to simulate new employees and new groups. It always baffles me when a system I use regularly like Windows has so many more capabilities I'm not aware of. As a user of a personal computer, I have no use for these access controls currently. But it's still amazing what Windows can do as a system for both end-users and companies. 

Anyways, this week's blog is about access controls and their uses in today's world. As I discussed in my blog two weeks ago, Internet of Things (IoT) technology is running rampant today. This IoT world can be attributed to working from home after the COVID-19 pandemic and in part just because we have the technology to do so now. Mercury Security is a provider in access control solutions. They just submitted a report describing the new usages of certain kinds of access controls. This is important in gauging what interest there will be in the future.

The biggest number from this report by Mercury Security was that 72% of the respondents say the controller is essential in the PACS design. PACS stands for Picture Archiving and Communication Systems. These systems are often used in the medical field to store photos securely. These PACS systems use four components to secure the data:  systems that take the images, a secure network for transmission, a workstation for observing the images, and archives. The controller in this case would be doing most of the work in sending images, verifying users, etc.

Another interesting number is the need for IoT integration. 44% of respondents stated they are exploring integrating IoT devices into their controller. Such devices could be HVAC, lighting, and sensors. 90% of the respondents also agreed that cyber security is important. Which is a step in the right direction, especially since companies are going mostly online where cyber security is essential to maintain confidentiality and security. 

Just from those few numbers from the report, it's obvious how important cyber security and knowledge of IoT devices is becoming. For more numbers from the report, consult the first two links below.

I'd be so interested to see what the PACS system looks like under the hood in a hospital like Mayo Clinic. I bet they have a lot of data and coding to support it. 

Articles Read:

• New Report Reveals Top Trends Transforming Access Controller Technology
• Impact of IoT on access control
• How Does PACS Architecture Works and its Benefits

- Nicole Golden 

How to Survive Data Breaches

This week while watching the news I saw that there has been a giant data leak from big companies like Facebook, Google, Apple, and others. Over 16 billion passwords were exposed. So if you've been putting off changing that one password you use, maybe change it now. I know it's hard to do what everyone says when it comes to password security. Especially since every little thing has a website with a log in now. I'd like to share my accumulated knowledge about how to survive in today's Internet world. This is not an end all, be all. Some systems work better for different people. Everyone's information can be breached, but we don't want to make it easy for them!

Password Managers 

If you can, there are password managers you can use to store your password information. This can aid in the attempt to have a different password for each site. Even if you use Google Password Manager, it's better than nothing. These managers encrypt your password, store it, and decrypt it. So it's not just lying out there for everyone to see. And you don't have to manually remember! Other password managers are Bitwarden, Keeper, and Proton Pass. These usually have free and paid options.

My mom keeps a little notebook with all her passwords in it, and while many professionals recommend against it, I think it's still better than nothing if you're just a layman in security. If you do that, please do not keep it anywhere near your computer. Maybe in a safe or hidden away. Please whatever you do, do not keep your laptop password taped to the bottom of the laptop! So many people do this, if you worry you'll forget, set up an easy code or biometric entrance instead. I understand it's usually for older folk, but their data deserves to be private too!

Have I Been Pwned? Website

Back when I was studying at MCTC and participating in the CCDC, the Cybersecurity Club had a meeting about password security and mentioned this website. It is by far one of my favorite, easy recommendations to monitor your personal data for these breaches. You can visit the website below. It works by taking in your email and then it notifies you when that email is involved in a breach. It also informs you of which information has been breached such as credit card information, address, passwords, etc. It is the best offense when your data has been leaked. Once you get that email, you go to that account and change the password. It also helps you be more aware of your credit card charges and such to detect sooner when the data has been officially sold to someone to be used. Usually the way breaches work is that the data is stolen and put on the dark web where it can be sold to anyone that will pay. So even if nothing happens right away, it could still happen later! I'd recommend everyone to go there and sign up quick for notifications. It's free!

Conclusion

There are millions of ways to protect yourself from data breaches and living in this digital world. Things most people have heard a million times, I'm not going to repeat those. I think the systems I discussed are well worthwhile for anyone works, plays, and exists on the Internet. Please try them out.  

Related Articles & Websites:

• 16 billion passwords exposed in record-breaking data breach, opening access to Facebook, Google, Apple, and any other service imaginable
• Have I Been Pwned? 

Nicole Golden 

Internet of Things Cameras

 This week I attended a talk done by Axis Communications about what their cameras can do. The talk was called Data Driven Insights. While I had spoken with an employee before at Loffler Tech Fest, at this event I learned more in-depth how these cameras function not only as video-capturing systems but also as sensors gathering data. 

Axis Communications states on their website that they offer the widest range of video and audio analytics, while I don't have much to compare to I was blown away by what they can do with the metadata from their cameras. Based in Sweden but with establishments all over the world, the Axis location in Minnesota is in the Mall of America offices. Their presentation room is full of their wide assortment of cameras and sensors. On the wall they had a TV that showed a camera that tracked planes that flew overhead, their flight numbers, and all information about the flight.  

The presentation started out discussing what is possible with metadata. To start I'll define what metadata from a camera exactly is. Metadata is information gathered by the camera's software when recording video footage. Much like how we remember details about a situation and can't exactly recall what happened but remember that a lady was there with brown hair, that's what the metadata is like. It records items its been taught. Axis Communications' cameras have Artificial Intelligence Deep Learning built into them. So they are taught what a car, truck, person, and many other categories. These cameras then send the feed of metadata to the server and computer for further usage. 

I was in the room with a wide variety of business professionals, be it employees from Axis or other companies that sell or use the cameras. They seemed widely unaware of this constant feed of information being sent alongside the video provided by the camera. Mostly the presentation was about what could be done in a business setting with this metadata. A very useful tool was shown by Field Sales Engineer Seth Dodge who made a website so an office could see which e-charging parking spots were open. This allowed for the use of the metadata seeing how many cars were in the spots, and informing the server. Another useful capability these cameras have, is that users can create boundaries and track how many cross these boundaries. Mr. Dodge also discussed how a company could use the metadata and store it in a database for further analysis or safe-keeping. 

In an early segment of the presentation, the Solutions Engineer Robert Brown discussed the usage of the audio to detect people talking, shouting, or even glass breaking. As a computer scientist and, in this class, a cybersecurity professional, I worried about the audio being a vulnerability. But Mr. Brown covered how only the camera has access to the audio and it is never sent anywhere aside from in the camera hardware. Instead the camera sends the metadata of what it thinks it detected. This is very smart thinking since issues have arisen with devices like Alexa and recording audio for other nefarious reasons.  

Naturally everything has its limits and these cameras are limited by the position they're put in. One client asked the presenters if it was possible to track how long a customer stays in a specific section in the store, even if they leave the area and come back. But Axis cameras are limited by their short memories. It would be hard to give a person an ID and remember them in the future. This is a good example of how Internet of Things (IoT) devices still have limitations on their hardware and software. The client stated that it would be great to have the Axis cameras do it themselves, currently they use a third party to calculate these numbers for them. 

For some concrete examples of Axis' qualifications, they discussed how they are the company that runs the Mall of America's cameras. Both for security and marketing. These cameras were used during the Katseye performance to track how many cars came during the duration of the performance. The camera count was exact, the mall had people go and manually count the cars too. That information can then be used for further marketing and preparation for other concerts in house. 

It is interesting and amazing what is possible with the use of a "simple" camera. Who knows what will be possible in the future with these built-in software updates. 

I'd like to thank Seth Dodge for inviting me to attend the talk. I was the only student but still thoroughly enjoyed the talks. Especially the small bit of back-end systems they showed. Axis Communications offers students opportunities to learn about security in the modern world, please take a look at their website. If I owned a company, I would definitely consider them as an amazing option for security.

Related Webpages: 

• Axis Communications Home Page
• Axis Communications Learning Page
• Seth Dodge's Linkedin

- Nicole Golden 

Social Engineering

This week in class we covered common vulnerabilities, threats, and risks in cybersecurity. One security vulnerability I find the most interesting is social engineering. It's almost like magic sometimes how the right people with the right amount of charisma can get any information they need. As we discussed in week one, people are the weakest link in a computer security system. User's make more mistakes, both socially and technologically. Social engineering plays into our humanity and our need to please other people. These social engineers target people with the least amount of technical knowledge usually. It proves that despite all our training and assimilation into the world of technology, we can still be conned and tricked into forking over our sensitive data.

Social engineering is the act of gaining trust from an employee and encouraging them to make unsafe choices such as releasing sensitive information or clicking a link. There are many different kinds of social engineering such as phishing, watering hole attacks, and physical social engineering attacks. Phishing meaning illegitimate emails requesting information or having a link that is malicious is the most common form of social engineering nowadays. Watering hole attacks are when the attacker sets a trap such as compromising a website and requesting the employee visit that website. Finally, the most interesting are the physical social engineering attacks. These attacks are done in the physical realm and don't require total cybersecurity knowledge. Mostly these attackers are just good talkers. 

I've seen videos online with a sort of penetration testing, where the person calls someone's insurance claiming to be their wife who forgot the access code or some sort of mistake to then access private information like the Social Security number or address of the owner. After watching that video I realized that all the tactics of phishing can be applied to a phone call. The person in the video played a sound bite of a baby crying and created the urgency that she needed the information now. After watching that video, I realized that in the world of remote work, our information isn't safe. Luckily that wasn't a "real" hacker with malicious intent, but it shows that you don't need cybersecurity knowledge to get sensitive digital information. 

Once again, computers and people are all doom and gloom, but no! This issue can be mitigated, if not completely fixed with the proper training of employees. Training can serve as a backup when they are backed against the wall of a customer's request. Of course, the final say is made by the architecture of your business' information. I hope that companies have the principle of Least Privilege down, if not Zero-Trust. But in the end, training is the best way to teach employees how to sniff out a con. Everything can be fake on the phone, or even on a video call now with AI and Youtube. 

While most hackers are not as socially apt, I just thought I'd bring some awareness to the most underestimated attack method. Phishing is discussed often in length, but don't think for a moment people on the phone always have the company's best interests in mind. The computer always starts with the person behind the keyboard first. 

Articles Read:

• What Is Social Engineering?
• Avoiding Social Engineering and Phishing Attacks 

 

- Nicole Golden 

Artificial Intelligence: Turning the Tide of Cybersecurity

Artificial Intelligence (AI) is the newest tech tool that everyone won't stop talking about. Since in the book this week we covered emerging technologies that change lives, I immediately thought of how AI is changing our lives. Personally, I don't favor AI much. I think people are using it as a shortcut instead of using their own intelligence. But it can be a handy tool in automation and for things people don't want to do. Which leads to the application of AI in cybersecurity. 

Despite my bias against AI, I can see why it could be such a good tool in the cybersecurity world. Not only can it predict attacks, but it could also make decisions on it's own whether or not an attack is serious. This was discussed in the article by telecompetitor. They argued that AI can be used by the defenders to protect their companies against bad actors. This makes sense, but I still worry that AI is also being used by the attackers. When attending Loffler Tech Fest, one panel discussed cybersecurity and they mentioned noticing an uptick in phishing that was more grammatically correct than before. The host attributed that change to AI, since many of these chatbots are built for text creation and prediction, that's what they excel at. If both the attacker and defender are given the same tools, would it be possible for one side to use it to turn the tides?

In the article written by Forbes, they discussed how AI adds complexity to systems using them. This complexity makes the systems harder to defend. Another point in the favor of the attackers. Since AI often is unreliable in it's decisions and answers, it cannot be defended in the same traditional sense as before. The AI has a model that even after extensive training and mapping, can still be chaotic. This leaves this new Model Layer more defenseless. While this unpredictability is a part of the interest in AI, it also leads to the attackers being interested in companies that utilize AI. These attackers see it as a vulnerability they can take advantage of. The author Tony Bradley, made a good point that when companies let the AI make decisions like API calls and interacting with other agents, that's when the real dangerous territories are crossed into. If we can't predict what it's going to do, can't defend it, what could it do next?

Both the Forbes article and the article by Intelligent CISCO, approve of a joint cause. The cybersecurity world must work together to tackle securing artificial intelligence. If everyone runs their own security, it would lead to an unstable internet. If an infrastructure was built and shared, it might be stronger and better than before. Who knows what is coming next after AI, we will need to work together to secure it otherwise there's another point in the attackers favor. 

It's good to know that world-renowned companies like Intelligent CISCO are having these talks at their events like Infosecurity Europe. It is necessary to talk it out and not just blindly use AI without understanding what you're signing up to. AI is a brand new shiny double-edged sword that's been handed to every single person on the planet. How we use it defines what will happen next both on the internet and in our day-to-day lives.

Quotes:

"AI should be a co-pilot, not an autopilot." - Tony Bradley, Forbes

Articles Read:

• Cybersecurity May Come Down to Fighting AI Fire with AI Fire
• Why AI Is The New Cybersecurity Battleground
• Infosecurity Europe 2025 unveils new event features in response to AI reshaping cybersecurity priorities

 - Nicole Golden