Saturday, December 12, 2015

Cyber security Next steps



Cyber security matters. Products are hacked, in order to misuse, abuse and confuse. Unlike other technologies which are mastered by specific teams and functions, security is a base technology which belongs to the body of knowledge of each single software developer. I have try to ponder on  / about some best practices for security engineering in this blog. This is also a thought of continuous improvement & evolving process for a given enterprise.

Sophisticated functionality and ever-increasing perfection of embedded and distributed IT systems have been made possible through an increasing amount of interconnected components. Open interfaces, standardized platforms, and a variety of heterogeneous networks drive complexity and security risks. For any given system it is only a question of time before the resulting security vulnerabilities are systematically identified and exploited at the harm and expense of users and manufacturers. 

Security is a quality attribute which interacts heavily with other such attributes, including availability, safety, and robustness. It is the sum of all of the attributes of an information system or product which contributes towards ensuring that processing, storing, and communicating of information sufficiently protects confidentiality, integrity, and authenticity. Cyber security implies that it is not possible to do anything with the processed or managed information which is not explicitly intended by the specification of the embedded system.

Currently used security engineering concepts, such as proprietary subsystems, the protection of components, firewalls between components, and the validation of specific features are necessary basics but insufficient to ensure end-to-end security at the systems-level. Intelligent attack scenarios evolve from different directions, such as attacks on unprotected networks, introduction of dangerous code segments through open interfaces, changes to configurations, and prove that security has to become a topic throughout the entire organization and with high management attention.

Cyber security needs evolve fast with the advent of the Internet of Things (IoT). Let us look to modern automotive systems as an example of connectivity and IoT. Distributed networks such as inside cars and from car to roadside are an essential part for our today’s modern infrastructures with their needs for safety and comfort. Besides the further development of innovative sensors like radar and camera systems and the analysis of the signals in highly complex systems, the connected cars will be a driving factor for tomorrow‘s innovation. Internet connections will not only provide the need for information to the passenger - functions like eCall, communication between cars, and car to infrastructure (vehicle2x) shows high potential for revolutionizing the individual traffic. The advantages are obvious, such as improvement of the traffic flow controlled by intelligent traffic lights, warnings from roadside stations, or brake indication of adjacent cars towards enhanced driver assistant systems and automated driving. But the connection to the outer world also bears the risk for attacks to the car.

Based on our experiences with clients worldwide, we show which security engineering activities are required to create secure systems and how these activities can be performed efficiently in the automotive domain. Key points in the development of protected systems are the proper identification of security requirements, the systematic realization of security functions, and a security validation to demonstrate that security requirements have been met. Here some obvious items from the cyber security checklist:

·         Standardized process models for a systematic approach which is anchored in the complete development process. This starts in the requirements analysis phase, and continues through the design and development to the test and integration of components and the network.

·         Quick software updates to close vulnerabilities in the deployed and operational software.

·         Reliable protocols that are state-of-the-art and meet long-term security demands. Related to security, this is often combined with cryptographic keys. So a key management over the lifecycle of the vehicle must be maintained.

·         In-vehicle networks and a system architecture that provide flexibility and scalability and are designed with consideration of security aspects.

Dependability requirements are a good starting point to identify relevant security requirements and to guide elicitation of further functional requirements that will mitigate security risks. The same technique as outlined here can be applied for other scenarios – always starting with attacker motivation or functional risks due to the system architecture. Our guidance: Do not limit exposure to known incidents and defects as some textbooks suggest. Security analysis is not a checklist approach. It has to consider attack motivations of persons thinking differently than the usual engineer. However, utilizing an engineering approach, we can more easily identify vulnerabilities in our architectures.

The results of security risk and hazard analysis starting with asset identification to misuse, abuse and confuse cases and the entire security protection scheme should be well-documented. It is of utmost interest to understand the approach specifically when modifications are made at a later point. Form a legal perspective complete and maintained documentation is necessary for governance and compliance reasons. Security threats and resulting damages impact the safety of products and the integrity of private data, and are thus directly endangering the financial health of a company. Our guidance: Document the security case similarly to the safety case by means of a ALM/ PLM environment. Maintain the related documentation and enhance it with regression test scenarios for future updates.

Security requires an end-to-end perspective. Security engineering must start with a clear focus on security requirements and related critical quality requirements, such as safety, footprint, or performance and how they map to functional requirements. Software component suppliers and integrators first define the key functional requirements. These requirements are then analyzed for security risks and impacts. Security requirements are expanded into further functional requirements or additional security guidelines and validation steps. Security concepts are subsequently and consistently (i.e. traceable) implemented throughout the development process. Finally, security is validated on the basis of previously defined security requirements and test cases.

Today, cyber security by design is in the foreground due to safety, legislative and intellectual property concerns. We recommend a life-cycle perspective which takes a systems engineering perspective and drives security starting with security requirements and the related test cases, while stepwise and comprehensively building the security case in line with the impacted functional requirements and quality requirements. After all it does not help much if transactions are piecemeal encrypted and thus slow down performance.

Many security attacks are the result of poorly managed software updates and uncontrolled complexity growth. Architectures, systems, and protocols must be developed with security in mind (i.e., design for security). Competences have to be developed around security engineering, and employees have to be trained how to design, verify, and sustain security throughout the product’s life-cycle. Only with continuous measurements on their effectiveness the value of security measures improves.

Contact me at ravindrapande@gmail.com for more information or to discuss these trends.

Monday, December 7, 2015

Office 2016 Review



At IndiaTrainigServices.in we got a good look at the US editions of the Office 2016 Developer edition.
Office 2016 is a major upgrade, but not in the way you’d first suppose. Just as Windows 10 ties notebooks, desktops, phones and tablets together, and adds a layer of intelligence, Office 2016 wants to connect you and your coworkers together, using some baked-in smarts to help you along.
We have tested the client-facing portion of Office 2016. Microsoft released the trial version of Office 2016 in March as a developer preview with a focus on administrative features (data loss protection, multi-factor authentication and more) that we didn’t test.

Office 2013 users can rest easy about one thing: Office 2016’s applications are almost indistinguishable from their previous versions in look and feature set. To the basic Office apps, Microsoft has added its Sway app for light content creation, and the enterprise information aggregator, Delve. 

Collaboration in the cloud is the real difference with Office 2016. Office now encourages you to share documents online, in a collaborative workspace. Printing out a document and marking it up with a pen? Medieval. Even emailing copies back and forth is now tacitly discouraged.
Microsoft says its new collaborative workflow reflects how people do things now, from study groups to community centers on up to enterprise sales forces. But Microsoft’s brave new world runs best on Office 365, Microsoft’s subscription service, where everybody has the latest software that automatically updates over time. And to use all of the advanced features of Office, you must own some sort of Windows PC.

You could still buy Office 2016 as a standalone product: It costs Rs. 6,000 for Office 2016 Home & Student (Word, Excel, PowerPoint and OneNote ) and Rs. 18,500 for Office Home & Business, which adds Outlook 2016. Office 365 is Rs. 330 per month for a Personal plan (with one device installation) and Rs. 450 per month for a Home Plan, where Office can be installed on five devices and five phones.

If you subscribe to Office 365, it’s a moot point; those bits will stream down to your PC shortly. Windows 10 users already have access to Microsoft’s own baked-in, totally free version of Office, the Office Mobile apps. It’s those people who fall somewhere in the middle—unwilling to commit to Office 365, but still wavering whether or not to buy Office—who must decide.

Our advice to an individual, family, or small business owner: Wait. If you’ve never owned Office, the free Office Mobile apps that can be downloaded from the Windows Store onto iOS, Android, and Windows Phones are very good—and include some of the intelligence and sharing capabilities built into Office 2016. Microsoft’s Office Web apps do the same.

There’s no question that Office 2016 tops Google Apps, and I haven’t seen anything from the free, alternative office suites that should compel you to look elsewhere. But Microsoft still struggles to answer the most basic question: Why should I upgrade? That’s a question that I think Microsoft could answer easily—and I’ll tell you how it can, at the end.

Before that, here’s what works, and what doesn’t, in Office 2016. With PowerPoint, however, most of that goes out the window. You can ask coworkers to collaborate, and you can still send them links by which they can edit your shared presentations. You can still comment, and coworkers can still make changes to the text as they wish. But you can’t really manage their changes, or restrict what they can or can’t do. (You can compare and reconcile versions of the same document that a coworker has worked upon separately, however, which is vaguely similar.)

But—and this is a big but—any revisions to a document show up only if you click a teeny-tiny Save icon, way down at the bottom of the screen, that serves as a sort of CB-radio-style ‘Over’ command. It’s almost impossible to find unless you know what you’re looking for. Click it, and changes made by others show up. When your colleague makes another change, you have to click it again. It’s a pain.
Granted, collaborative editing wasn’t in the Office 2016 preview Microsoft released earlier this year. And, given that there’s an enormous blank space in the ribbon header to the right half of the screen, you have to imagine that more managed sharing is heading to PowerPoint.