Gaps and Challenges

Authors:
Marco Anisetti, Università degli studi di Milano
Claudio Ardagna, Università degli studi di Milano
Marco Cremonini, Università degli studi di Milano
Ernesto Damiani, Università degli studi di Milano
Jadran Sessa, Università degli studi di Milano

On this page, we show gaps and challenges prior to and after the emergence of COVID-19 pandemic as identified by the H2020 CONCORDIA project.


Gaps and Challenges prior to COVID-19 Era

The following list showcases gaps that were driven by the threats prior to COVID-19 and that have also remained relevant in COVID-19 era.

(1) Device/IoT-Centric Security

  • G1.1 – Gaps on design. IoT is just recently but slowly being designed considering security as a principal requirement [1]. Usually, IoT systems have no defense-in-depth strategies implemented and good practices like the limitation of the number of open ports and authentication are not considered. In general, the concept of security-by-design or privacy-by-design is not taken into account by most IoT manufacturers. In many cases information is exchanged with a third party without control, credentials are stored as unchangeable plain text.

  • G1.2 – Gaps on protection mechanisms adoption and hardening. The current advanced protection mechanisms cannot be adopted by most of the IoT systems due to several limitations including the limited computational power and lack of communication protection on internal and external interfaces. The firmware level lacks data execution prevention or attack mitigation techniques implementations. Similarly, correct configurations are essential in complex architectures for preventing security weaknesses. IoT configurations are hindered by several flaws due to the difficulties to modify and fix them.

  • G1.3 – Gaps on authorization and authentication. IoT systems rarely adopt advanced authentication and authorization architectures between devices. In most cases, some critical tasks like firmware updates can be executed without a signature check allowing tampering and usurpation, while software updates can be done without authorization and file trust verification. In many cases, secure boot, which is essential for hardening IoT devices is not implemented. Moreover, IoT is often exposed to risks associated with weak password policies or default passwords left unchanged.

  • G1.4 – Gaps on diagnosis and response capabilities. IoT devices are rarely equipped with diagnostic tools that can be used to monitor their status. In many scenarios, they are not always connected to the rest of the system and their response capabilities are limited. Due to the difficulty of controlling the IoT periphery, the IoT ecosystem is often exposed to threats of cloning and substitutions.

  • G1.5 – Lack of awareness and knowledge (skill shortage). There is a lack of knowledge regarding i) the threats in IoT and how they differ from the traditional system threats and ii) the countermeasures and mechanisms to be adopted. There is also an overall lack of awareness among end-users regarding the security risks posed to themselves and others and, therefore, cybersecurity is not widely embraced as an essential requirement in the market of IoT. Hence, it is essential to train employees and educate consumers about the use and the security risks posed by IoT, as well as about the ways how to protect IoT and react in the case of an emergency.

  • G1.6: Lack of interoperability. The lack of common regulations causes several interoperability issues between devices of different manufacturers, security models adopted within the IoT subsystem and between the IoT and the legacy subsystems. It is therefore important to ensure correct and secure interoperability avoiding conflicts and incompatibilities that expose the entire system to security risks. For instance, it is a good practice to use standard protocols rather than closed-source and proprietary protocols due to security verification issues. Similarly, the use of common frameworks can aid in improving the efficiency and security of interconnected devices.

  • G1.7: Lack of security-dedicated budget. IoT manufacturers tend to consider functionality and economic interests more important than security, secure design, and code quality. Moreover, they are not able to evaluate the economic impact and perceived reputation effect of hypothetical security weaknesses. Limited funds or a total lack of funds also affect the mindset of manufacturers. Thus, obliviousness to the risks, threats, and hazards due to the financial costs usually results in a-posteriori handling of incidents.

  • G1.8: Fragmentation in security approaches and regulations. In IoT, there is still an absence of regulations addressing all the relevant aspects promptly, which hinders both the identification of commonly accepted requirements for manufacturers and the setting of clear expectations from customers. Most IoT manufacturers are taking their own approach when implementing security, which results in a lack or slow embracement of standards to guide a security-aware IoT adoption. A key to rapid progress in this context is to get the public and private sectors to collaborate since security is a shared responsibility between all involved actors. Another issue for IoT adoption in critical ICT scenarios is the fragmentation of the regulations. Hence, it is important to consider different areas where IoT systems will be adopted because different application areas have different security requirements and constraints on the IoT ecosystem.

  • G1.9: Product lifecycle management leakages. The lack of lifecycle management, timely patching, and continuous discovery of vulnerabilities can jeopardize entire IoT systems. IoT products and all the involved actors have to evolve to meet the requirements throughout the lifecycle. The manufacturers should propose new features, while end-users should accept the cost increments and recognize the value of the security. The deployment phase of the lifecycle is quite crucial even if can be considered as one-time in most cases. Recommendations should be followed to avoid issues including wrong configurations and the absence of security features. Monitoring of the post-deployment lifecycle is another aspect that is gaining an importance.

(2) Network-Centric Security

  • G2.1 – Gaps on security testing, on security accreditation schemes of network devices and on massive deployment of PSIRT program from vendors. To identify possible exploitable misbehavior or erroneous security configuration, assess the security requirements and functions of network devices and their hardening and accomplish security by design and testing, basic security accreditation schemes should be adopted at a large scale. As part of the security accreditation of network devices, vendors should offer Product Security Incident Response Team (PSIRT) program to help their customers in addressing the security of their products promptly and efficiently. Even though many vendors are already implementing their PSIRT processes, there are still no standardized procedures defined.

  • G2.2 – Gaps on continuous hardening & patching of IT systems. The operations and maintenance of network devices rely on IT systems, whose improper management can lead to the abuse of normal operations. Personal computers of employers can also represent a gateway for unauthorized and privileged access to the network. Diminishing vulnerabilities requires regular and timely patching of network devices, which is often difficult to accomplish due to the sheer number of impacted devices. Solutions should focus on developing automatic tools for selecting the right updates on the correct devices in a timely manner.

  • G2.3 – Gaps on security training and awareness toward employees. Artificial intelligence or machine learning techniques can aid in complementing the security awareness of employees through assisting spam and phishing email identification. However, both end-users and employees of Telco services need to undertake continuous security training to prevent possible DDoS attacks that could result due to improper device management. 

  • G2.4 – Gaps on massive deployment of mobile signaling firewalling solutions and anomaly detection systems specific to mobile signaling protocols. To hinder the lack of security mechanism of signaling protocols used in mobile networks and mitigate possible threats such as interception and unauthorized acquisition, in the last few years the industry dedicated a lot of effort to elaborate firewall specifications. Emerging technologies, such as 5G have to implement these firewalls starting from the early phases of development.

  • G2.5 – Gaps in the standardization process to include formal security verification and security assessment/testing of new protocol/network specifications. Formal verification algorithms and methods to prove the security of protocols should be adopted by the specification and standardization agencies to identify and address possible security issues. These issues can originate from unclear specifications or the leak of implementation guidelines and have to be identified and removed before the official approval of a new specification.

  • G2.6 – Gaps on best practice to increment GTP security assessment procedure and on robust solution against Data session hijacking (i.e., by means of artificial intelligence systems). Protocol configuration vulnerabilities represent a critical issue since data sessions are established for every connection. Hence, research to identify new solutions against data session hijacking can be valuable for safeguarding the security and privacy of users. Some mobile operators are still exposed to vulnerabilities in the GTP protocol and 5G, opening the door to several kinds of attacks, such as denial of service attacks, impersonations, and fraud. To limit exposure to this threat, GSMA FS.20 GPRS Tunnelling Protocol (GTP) Security recommendations should be followed.

  • G2.7 – Gaps on the deployment of robust crypto algorithm to cypher user plane traffic while minimizing performance impact and interoperability issues. Crypto algorithms should be applied to protect the user data against interception or manipulation. Some of the gaps can occur due to the miss-configurations in the commercial network. So, research endeavors in novel crypto algorithms are essential for protecting user data and minimizing performance impact.

  • G2.8 Gaps on robust and innovative solutions for protecting DNS traffic system. The weak design of DNS makes it one of the main targets of cyberattacks. Telcos and ISP are spending a lot of resources to protect their DNS infrastructures in terms of both, security technologies (firewall, IDS, monitoring tools) and security personnel, while DNS-SEC is not widely adopted.

  • G2.9 Gaps on wide adoption of integrity protected firmware (also in IoT system). Despite the existence of many mechanisms for protecting the integrity of operating systems of both end-user and network devices, various vulnerabilities are continuously being discovered. Whereas traditional network elements can be managed by security personnel, IoT devices are out of range of the traditional management tools and hence the target of cyberattacks. Filling this gap requires innovative yet simple and economically feasible solutions.

  • G2.10 – Gaps on malware detection solution. Despite the significant amount of research, the detection of malware remains problematic. Signature-based and heuristic-based detection approaches are fast and efficient to detect known malware, but ineffective in detecting unknown malware. Other approaches such as behavior-based, model checking-based, cloud-based, deep learning-based, mobile devices-based, and IoT-based approaches perform better to a certain extent in detecting known and unknown malware. However, building a foolproof method for detecting malware is a challenging task.

  • G2.11 – Gaps on containing amplification attacks. Amplification attack techniques permit a relatively small number of nodes to generate a huge number of messages toward the target victim. Signaling amplification attacks include Smurf Attacks (ICMP amplification), DNS, and NTP attacks. Increasing the Threat of Information sharing among organizations could help in protecting network infrastructures against these otherwise difficult to fend off attacks.

(3) System-Centric Security

  • G3.1 – Gaps on the use of cryptography. Cryptography-based security mitigations introduce an overhead that can affect the performance and availability of the virtualized systems, hypervisors, guest machines, networks, and storage[2][3][4]. To prevent possible risks of DoS attacks, performance has to be kept under control by applying the appropriate cryptography. In recent years, several initiatives related to cryptographic solutions emerged, including the topics of Virtual Trusted Platform Module (vTPM), “cryptography-as-a-service” and post-quantum cryptography.

  • G3.2 – Gaps on data control. One of the well-known privacy problems occurs when a user provides its data to a third party and partially loses control over it, which is often the case in cloud environments. The optimal solution to this problem should provide verifiable and privacy-enhanced data management, thus enabling users to maintain control over their data distribution and sharing. Another potential privacy problem is the “data remanence” problem, which occurs when the residual data remains on the VM disk even after VM is deleted and causes sensitive data to be unwillingly disclosed.

  • G3.3 – Gaps on multi tenancy, isolation and resource management. Virtualized systems are frequently based on multi-tenant systems, where multiple users share the same resources and every user is given a dedicated share of data, configuration, functional and non-functional properties. However, there is a major gap to find a balance between complete isolation and the necessity to control and monitor, to avoid potential threats such as covert channel attacks. Moreover, the inability to control communication between components and virtualization can exacerbate threats such as resource hijacking and data leakage. Resource management should be also optimized to mitigate possible attacks which can affect the system’s availability and reliability.

  • G3.4 – Gaps on roles and human resources. The gap related to the need for different administration levels requires balancing the protection of users’ security and privacy and privileges in respect to virtualized environment administrators and considering the hierarchical system administration approach. Moreover, the gap involving the lack of skilled personnel responsible for deploying/configuring virtualized environment and maintaining its security has to be also filled.

  • G3.5 – Gaps on security assurance and Service Level Agreements (SLAs). Filling this gap requires consideration of the intrinsic dynamics of virtualized systems, where multi-layer architecture consists of distributed components. Another gap caused by the multi-tenant nature of virtualization environments is related to the definition and enforcement of SLAs. To leverage user satisfaction, existing SLAs have to cope with the virtualization oddities and virtualized context, intrinsic dynamics, event-based management, sharing, continuous control of security and privacy conditions, SLA management, and cloud security certification [5].

  • G3.6 – Gaps on forensics. Due to the dynamic nature of technical operations and controls and the distributed nature of data storage, data analysis, identification, recovery, and preservation are often complex in virtualized environments. On the other hand, since the environment and resources are shared between different users, the activities of the particular tenants can permanently jeopardize the evidence. Timely notifications of breaches are of the crucial essence for providing effective forensics. Thus, virtualized environment forensics requires profound technical skills and the relevant support of the service providers that require forensics analysis.

  • G3.7 – Gaps on standards/regulations. European cloud computing strategy mentions the following gaps on cloud environment services standardization: i) interoperability solutions for implementing standardized services, ii) standard certificates of communication service providers (CSPs) that enable comparison and selection of offerings, and iii) transparency in cloud SLAs. Data formats and interface interoperability of cloud services can be achieved by standardization, while adoption of SLAs can contribute in balancing the risks of the customer and the CSP and the lack of the appropriate SLA.

  • G3.8 – Lack of visibility/control. One of the main advantages of the cloud, i.e. not having to perform software, platform, and assets management daily comes at the price of having less control and visibility of the assets. Despite providing the advantage of not having to perform daily software, platform, and assets management, the cloud has less control and visibility of the assets. Thus, users/organizations’ ability to verify the efficiency of their security controls, perform incident response plans and conduct data analysis is reduced. The problem can be mitigated by reviewing and agreeing to the threshold concerning the amount of data that can be accessed, the ways to track the data, and security mechanisms for preventing data breaches [6].

  • G3.9 – Gaps on misconfiguration and inadequate change of control. Misconfiguration and inadequate change of control are some of the most prevalent challenges that cloud services are facing and its consequences can be ravaging. In 2017, the private data of 123 million American households were mistakenly exposed due to the misconfiguration of the AWS S3 cloud storage bucket.

  • G3.10 – Gaps on lack of cloud security architecture and strategy. During the migration of IT assets to clouds, organizations often disregard security architecture for repelling cyberattacks. Coupled with the lack of understanding of the shared security responsibility model, this can lead to involuntary data exposure to an array of cybersecurity threats [6].

  • G3.11 – Gaps on insufficient identity, credential, access and key management. Keeping control of identity and access management is a crucial task with heavier use of the cloud. Hence, both CSPs and cloud users are obliged to manage identity and access management while keeping attention on security. Having an identity service platform that employs robust, persistent, and verified identity controls is also of great importance [6].

  • G3.12 – Gaps on insider threat. According to the Ponemon Institute’s 2018 Cost of Insider Threats study, insider negligence is the main suspect for 64 percent of security incidents. The most common reasons for this threat include misconfiguration of cloud servers, phishing emails, and employees storing sensitive data on insecure devices and systems.

  • G3.13 – Gaps on weak control planes. Transition to the cloud requires the creation of enough data storage and appropriate protection. The control plane emerges as an optimal solution for this challenge since it can provide necessary security and integrity in addition to the stability and data runtime. Having a vulnerable control plane can result in a lack of control of data infrastructure, security, and verification, while stakeholders’ lack of awareness could lead to data corruption, unavailability, and leakage [7][8].

  • G3.14 – Gaps on abuse and nefarious use of cloud services. Malicious actors can use cloud resources for targeting users/organizations and hosting malware on cloud services. Cloud-hosted malware can appear genuine due to the CSP’s domain, and attackers can deploy cloud-sharing tools to further infiltrate themselves [6].

  • G3.15 – Gaps on insecure interfaces and APIs. The security and availability of cloud services are dependent on the user interfaces and APIs, which pose as gateways to the cloud. Hence, those interfaces must be designed in a way to protect against both accidental and malicious endeavors to breach security. Improper design of interfaces can lead to several critical issues, ranging from misuse to major data breaches.

  • G3.16 – Gaps on account hijacking due to the inadequate authentication. In the domain of the cloud, cloud service accounts and subscriptions are at the highest risk of getting exploited. There is a range of attacks that can compromise accounts security, such as phishing attacks, exploitation of cloud-based systems, stolen credentials and, spoofing that can result in identity and data theft.

  • G3.17 – Gaps on vulnerabilities exposure due to increasing complexity. Operating systems contain thousands of lines of codes written and debugged by humans. Consequently, they have a significant number of involuntarily introduced vulnerabilities, ranging from benign error messages to potentially devastating errors which can lead to the loss of important data and reduction in productivity [9].

  • G3.18 – Gaps on malware exposure. Operating systems are highly susceptible to various kinds of malware, including viruses, trojans, and spyware. Malware can often compromise local machines and exploit them for attacking other systems. By allowing limited interaction with outside and at the same time providing the full functionality of the operating system, third-party software can be given minimum access to file systems.

  • G3.19 – Gaps on race conditions. It is essential to consider race conditions involving the memory coherence model [10][11][12][13]. In the situations where the attacker gains the access to the protected files, he/she can take an advantage of the race condition between two operations and compromise the operating system. Enabling only atomic operations for file accessing and imposing strict restrictions on their access for all users, apart from root users is the only known workaround [14].

(4) Data-Centric Security

  • G4.1 – Gaps on data protection. The major gaps on data protection include threats to privacy and confidentiality of sensor data streams. Furthermore, loss of information, interception of sensitive data, and unauthorized acquisition of information are the main threats, while phishing and identity fraud due to traffic capture and data mining have been exacerbated by COVID-19. In order to facilitate the issue of the privacy intrusion, it is crucial to define solutions spanning beyond the application of smart cryptographic techniques. The employment of solutions such as real-time monitoring, assurance, and anonymization techniques provides fairly limited benefits. Some emerging potential solutions include privacy-preserving data mining [15] and privacy-preserving machine learning [16]. To alleviate another critical issue affecting current systems, namely user identity falsification, protecting data confidentiality and privacy through the means of advanced authentication, authorization, and access control solutions is of the essence. Accordingly, streams of trustworthy data from sensors should be certified when possible (see G4.6).

  • G4.2 – Gaps on the use of cryptography in applications and back-end data intensive services. The adoption of cryptographic solutions in Big Data environment is often challenging, owing to their complexity, flexibility, performance, and scalability issues in such environments. Another important aspect that has to be considered in distributed scenarios like the cloud, as well as when the data streaming has to be verified and certified is key management. Since integrity verification solutions are not appropriate due to the sheer size and collection rate of Big Data, alternate solutions, such as TPMs (see G4.3), the evaluation of sensor behaviors (see G4.5), and the monitoring of sensor configuration (see G4.6) have to be considered.

  • G4.3 – Gaps on computing and storage models and infrastructures. Lack of standard solutions, security controls’ portability issues in open source projects (e.g., different Hadoop versions) and Big Data vendors, inadequate design and planning or incorrect adaptation of a Big Data platforms, as well as the models’ and infrastructures’ complexity can lead to a variety of problems, including data management threats, misconfigurations and human errors. Moreover, correctness of data collection and ingestion activities represents a challenge related to the data protection problem (G4.1), whereas the design and deployment of a trustworthy Big Data platform require in-depth testing and verification.

  • G4.4 – Gaps on roles (skill shortage). Nowadays, the difficult task of managing security in a landscape consisting of small services with high-rate deployment changes is performed by incorporating so-called DevOps methodologies [17], which allow early detection of bugs and potential security issues. However, these methodologies necessitate the presence of “security culture” in the development teams and the application of security in novel ways, which in turn requires knowledge beyond traditional cybersecurity skills. When it comes to data intensive process applications, such as Big Data, there is a gap in terms of roles and skills. While the positions in high demand, including data scientist, data engineers, and Big Data system administrators are unlikely to be filled in the near future, users may stay unaware of the legal implications of data storage. Awareness, education, and training are the keys for closing this gap. This gap directly reflects on the gap G6.4, especially on universities who have started offering Data Science degrees only recently.

  • G4.5 – Gaps on data trustworthiness. Distinguishing between correct and fake data is of a critical importance and represents a major gap in systems. The implementation of safe autonomic and adaptive processes at the basis of ICT system functioning depends on the trustworthiness of data. Unfortunately, in the existing literature data trustworthiness is often neglected and taken for granted. As a result, current autonomic and adaptive systems make data decisions without filtering data beforehand. To solve this problem, trustworthy data collection and ingestion should be implemented, while proper data domain should be based a standard and trustworthy data collection, which can differentiate between correct and fake data. Extending assurance verification to data collection and ingestion would further contribute in filling this gap. Detection of the adversarial AI is another challenge encompassed by this gap.

  • G4.6 – Gaps on decision support systems. Decisions in autonomic and adaptive systems are made based on the collected field data. However, since the humans are components of the systems, all the human-related risks and unpredictability are present. Even though such traditional systems strive to maximize the decision quality, it is often difficult to prove/audit the correctness of decisions due to untrusted/unverified data that is accepted based on the provider reputation. Solution of this problem is directly connected to the data trustworthiness (G4.5), whereas solutions based on false positives reduction could potentially aid in management of the false alarms.

  • G4.7 – Gaps on ethics. It is essential to properly adopt emerging technologies, such as data analytics, machine learning, and artificial intelligence for maintaining human rights. These technologies have raised many ethics-related concerns, including surveillance, manipulation of behavior, opacity of AI systems, bias in decision systems, human-robot interaction, artificial moral agents, as well as fairness vs. bias question in ML/AI [18][19]. In all of the cases, bias in decision system plays an important role, which is connected to gap G4.6.

(5) Application-Centric Security

  • G5.1 – Gaps on microservices-aware security. Microservices and distributed systems follow an established communication pattern on the HTTP protocol, while traditional network security is based on firewalls. However, when encountering easily scalable microservices, standard firewalls struggle to implement necessary address- and port-based security rules. As a consequence, web application attacks are on the rise. Most of the existing and emerging solutions are bound to a specific platform, thus, WAF (Web Application Firewall) is being increasingly adopted by companies.

  • G5.2 – Gaps on authentication and authorization. The heterogeneity and the complexity of microservice-based deployment pose significant challenges to authentication and authorization. Moreover, since microservices enable writing applications in different languages/frameworks, the way authentication and authorization are handled introduces vulnerabilities. Concurrently, client applications that rely on password-based authentication (in which users have to select strong passwords) face the same issue.

  • G5.3 – Gaps on orchestration and composition. Managing security in applications composed of multitude of small components is difficult, since it requires securing microservices themselves (Gap G5.1), external software being used (e.g., databases, message brokers, and the orchestration platform, for which deployment a number of concepts have to be mastered beforehand. Also, some distributed architectures have single points of failure (e.g. API gateways), which is even further exacerbated by CI/CD methodologies. In such methodologies, software is deployed automatically, making it prone to bugs and security issues (see Gap 5.6).

  • G5.4 – Gaps on safety and security by default. Traditional desktop applications and operating systems are written in low-level programming languages, making them prone to security vulnerabilities, in particular memory bugs. Although this issue is not new, memory-safe programming languages have been considered unfit for critical systems performance until recently, when many vendors started adopting safer languages, such as Rust. However, there are still certain gaps that have to be filled. Since it is infeasible to rewrite the whole code from the scratch, automatic translation tools should be utilized to rewrite the most critical parts of the code, i.e. modules dealing with inputs. Moreover, both academia and industry should promote the use of safer languages for the development of safe-by-design products. Even though there are ways for increasing the safety of intrinsically unsafe languages, such solutions are often not integrated with the main toolchains, hence requiring additional steps. Lastly, this gap is even further exacerbated when considering IoT devices.

  • G5.5 – Gaps on the proper management of configurations. The management of configurations, and especially credential management, is one of the main challenges in the development and deployment of modern distributed systems. The best solutions that involve the deployment of encrypted storage systems are notoriously difficult to use. Some of the recent breaches have shown that configuration stores are often not properly secured and that the credentials within configuration stores are also insecure. Hence, stronger and more reliable credential management is required not only for APIs environment, but also for IoT devices, client-side configuration, and credential storage.

  • G5.6 – Gaps on supply-chain security. The security and the safety of an ICT product inherit security from all of its components. Usually, supply-chain security indicates that the application security is not completely under the control of the developers. According to ENISA, supply-chain security represents a critical gap in the age of CPU vulnerabilities, fake mobile apps, and state-sponsored attacks.

  • G5.7 – Gaps on skills. Managing security in a landscape composed of small services whose deployment changes at a high rate requires expertise in several fields, and the ability to operate at the different layers. Nowadays the trend is to incorporate security as soon as possible in the development process to facilitate finding bugs in the early development stages, which in turn requires a “security culture” among the member of the development teams [17][21]. All these activities require knowledge beyond traditional cybersecurity skills.

(6) User-Centric Security

  • G6.1 – Gaps on modelling user behavior. The question of how user behavior, relevant to cybersecurity, should be addressed with the respect of reducing the frequency of errors and preventing cascade effects, and forecasting threats likelihood has remained unanswered for decades. Different efforts of developing behavioral analysis, such as the ones utilizing Host-based Intrusion Detection Systems (HIDS) or AI have not managed to produce robust solutions until today. On the other hand, despite being successful, the integration of research on human errors with cybersecurity issues is still in the early stages. Similarly, other than characterizing the so-called “hacker mindset”, behavioral studies, which have been intensively researched in different fields, such as psychology, sociology, and economy, have never seen much success in converging with cybersecurity.

  • G6.2 – Gaps on the relation between user behavior and adverse security-related effects. Recently, there have been many studies on phishing, and testing employees’ likelihood of falling victim to social engineering has become a standard measure for security-conscious enterprises. Quantitative statistics indicate that the number of social engineering cases has dropped considerably over the years. On the other hand, social engineering, phishing, and ransomware attacks have become more relevant. In the past, there was a misconception that phishing, social engineering, and in general user-cantered threats should be counted instead of weighted. Even though the total number of such cases has dropped significantly, difficult cases that can potentially wreak havoc persevered. Such threats can halt the operations of critical health divisions, the production lines, or deceive executives into making dreadful decisions. The legacy solutions are not able to alleviate the problem, rendering companies defenseless.

  • G6.3 – Gaps on security information. Data and knowledge about the threat landscape are limited in quantity and have low quality. Consequently, the same questions and uncertainties are repeated multiple times. Also, significant uncertainty about the relative importance between internal and external sources of attacks, the type and nature of main threats, and ranking threats and vulnerabilities remains. For those issues and the issues regarding data knowledge sharing among subjects, analyses are repeated over and over. Data and knowledge sharing flow with difficulty and have poor quality, resulting in slow and partial awareness build-up. Moreover, assessing the quality of reports and surveys has a low quality, which can be reflected from the equal classification of good and poor quality ones.

  • G6.4 – Gaps on security training and education. There is yet no general agreement as to what is adequate cybersecurity education and who should be responsible for providing it. There are several proposals in place, ranging from enrolling teenagers in cybersecurity programs to advanced studies in cybersecurity. Most of the proposals in between, including cybersecurity programs offered by Computer Science/Engineering or Law Management programs or hands-on Vs. theoretic approaches have achieved recognition to a certain degree. Other unanswered questions consider the topics of appropriate content, the amount of required knowledge for the cybersecurity workforce, and coherent curricula. In an attempt to answer those questions, the recent consensus has been leaning towards multidisciplinary education. However, this proposal has risen a plethora of doubts, the most prominent being that it could lead to diverse superficial programs that will cover many issues without teaching, ultimately leaving a sense of vagueness and lacking characterization.

  • G6.5 – Gaps in collaborative protocols for disclosure. Even though their relevance remained uncertain, vulnerability disclosure procedures have been the point of discussion on which security researchers and software companies have not agreed for years. More recently, the rise of bug bounty programs and the standard ISO/IEC 29147:2018 Information technology — Security techniques — Vulnerability disclosure have started making a progress in this debate. Even though the business-oriented approach introduced by bug bounties seemed to function flawlessly in the start, some old and novel problems surfaced, including reward problems, the degree of freedom for the researchers, and the doubts surrounding the effectiveness of the approach. On the other hand, the ISO 29147 standard did not find support from the industry and thus did not manage to materialize. Consequently, the problem of governing the vulnerability disclosure process remains mostly unaddressed by the public, while at the same it has become the central business of the shadowy industrial sector.

Emerging Gaps and Challenges in COVID-19 Era

The advent of COVID-19 enhanced:

  1. Gaps on design (G1.1),
  2. Gaps on interoperability (G1.6),
  3. Gaps on security-dedicated budget G1.7),
  4. Gaps on lack of visibility/control (G3.8),
  5. Gaps on misconfiguration and inadequate change of control (G3.9),
  6. Gaps on insider threat (G3.12),
  7. Gaps on account hijacking due to the inadequate authorization(G3.16),
  8. Gaps on malware exposure(G3.18),
  9. Gaps on data protection (G4.1),
  10. Gaps on data trustworthiness (G4.5),
  11. Gaps on decision support systems (G4.6),
  12. Gaps on ethics (G4.7),
  13. Gaps on supply-chain security (G5.6).

Furthermore, COVID-19 also generated the following new gaps:

  • G1.10 – Gaps in cyber hygiene practices. The advent of COVID-19 exposed personnel to stress and to the need to rapidly adopt new technologies that they do not have time to learn about. In IoT, this is even more severe due to their nature to be ubiquitous and out-of-the-box deployable. The current practices to cope with the minimal cyber hygiene education are insufficient and usually unavailable before risk exposure occurs. This gap is also connected to the skill shortage gap which affects the learning procedure.

  • G1.11 – Gaps in handling critical scenarios. The pandemic let the connection between IoT security and safety emerge more clearly. The increase of IoT device adoption in critical scenarios without an emergency reaction plan or adaptation strategy is exposing people to data breaches and safety implications.

  • G2.12 – Gaps on general misinformation campaigns and conspiration theories. The COVID-19 pandemic contributed to the dissemination of disinformation, misinformation, and conspiracy theories. Moreover, it highlighted the role of social media in influencing political and policy debates and raised questions about rethinking regulations. Due to the lack of transparency and ease of message circulation, social platforms are hotspots for the dissemination of conspiracy theories and misinformation among like-minded people. Even though popular social networks including Facebook and Twitter have been under pressure of removing such content, conspiracy theorists have moved onto less scrutinized platforms or/and started using coded phrases to avoid being detected.

  • G2.13 – Gaps on reduced capacity to perform security operations. During COVID-19, SecOps teams face several constraints on their working practices, including reduced access to operational tools and difficulties to harden corporate computers connected to the company LAN. This indicates the need for more automation in security operations. Automation of Advanced Threat Protection could enable real-time threat intel for identifying and preventing threats in real-time. Emerging technologies, such as solutions based on machine learning and AI capabilities could aid the identification of malicious components of cybercrime and the generation of threat intel for future threat prediction and prevention.

  • G3.20 – Gaps on logistic challenges to the ever-increasing cloud usage. Moreover, the rapid rise of streaming services’ usage also calls for increased bandwidth on the internet and cloud providers’ networks. This results in difficulties to maintain service availability and performance and the shortage of required components for powering data centers [21]. Unpreparedness and inability to cope with such issues can lead to DDoS attacks that could even further cripple already overwhelmed systems.

  • G3.21 – Gaps on endpoint controls. To secure remote workers from potential malicious activities, organizations have to deploy multi-layer endpoint agents on all employee endpoints. Furthermore, systems should be hardened according to the proposed CIS benchmarks to prevent attackers from gaining systems’ access and privileges.

  • G3.22 – Gaps on Cloud user awareness. Remote workers require training on various topics, including phishing, password guidance, privacy screen, and device hardening, just to name a few. Security controls necessitate continuous evaluation throughout recommended team exercises, while privileged users should have distinct accounts only for dedicated Privileged Access Workstations (PAWs) [22].

  • G3.23 – Gaps on remote network controls. Off-network communications from virtual desktops should be limited only to whitelisted necessary resources. Moreover, a shift from full-tunnel to split-tunnel VPN could result in reducing network visibility, which can be further bolstered by a cloud proxy. To mitigate potential issues related to IP address, all traffic occurring from the VPN has to be linked to the source IP address, while the assignment of IP addresses should be linked to the corresponding user accounts [23].
  • G4.8 – Gaps on videoconferencing tools. With the emergence of COVID-19 traditional meetings were completely replaced by virtual meetings hosted by video-conferencing tools. However, these tools were not designed to withstand the increasing resource demands nor to achieve the required scalability and support necessary security and identity management requirements. In turn, this resulted in an increased risk of unauthorized participants.

  • G4.9 – Gaps on data management across borders. The pandemic has affected the boundaries of IT systems and data centers, and users’ online behavior in a way that they started connecting to private networks from hostile sites. Hence, new approaches for managing remote accesses and safeguarding data availability and integrity are mandatory to mitigate the risks of malware and ransomware.

  • G5.8 – Gaps on interoperability. COVID-19 demonstrated an urgent need for systems interoperability and revision, especially in public services, which are often obsolete and difficult to integrate with modern systems and apps. In the EU, systems interoperability across national borders is of the essence. Education has a critical role in enabling people to take advantage of digital services.

  • G5.9 – Gaps on education. Education denotes the necessity to educate everyone to use digital technologies correctly and safely. Users should also be more aware of attacks relying on social engineering and phishing, such as the Twitter bitcoin scam. Even though user awareness documents a rise, another peril comes from the increasingly personalized and complex attacks, that are not easily recognizable.

  • G5.10 – Gaps on sophisticated protection. According to ENISA, the attack surface is continuously expanding. Concurrently, boundaries of cybersecurity protection are also enlarging and becoming difficult to define due to remote and smart working. Therefore, novel and more sophisticated forms of protection that consider the human factor are of the essence for safeguarding trust boundaries, as well as AI, which is also becoming increasingly targeted recently.

  • G6.6 – Gaps on protection from online scammers. With the emergence of COVID-19, the notorious FUD triple (fear, uncertainty, and doubt) has resurfaced in society. Similarly, as in the previous states of distress, the scammers are again ready to exploit distraught, desperate, and depressive people. During the course of the pandemic, cybercriminals have carried out a wide range of well-known online scams, including phishing email campaigns, fake products, fraudulent advertising, and preposterous pseudoscientific theories.

Emerging Gaps and Challenges in 2021

The following is the list of gaps that emerged in 2021.

  • G1.12 – Gaps on insufficient data protection (communication and storage). One of the main challenges for IoT privacy and security is that compromised devices can be used for unauthorized access to confidential data. To prevent hackers from accessing IoT networks, secure data storage and network segregation are of utmost importance. Data encryption can be used to prevent data visibility in the case of unauthorized access, hence minimizing the risk of data theft. Moreover, data encryption is also efficient in preventing attacks such as eavesdropping and man-in-the-middle [24].

  • G1.13 – Gaps on device management and the use of outdated components. A study on the Internet of Medical Things (IoMT) published in July 2020 unveiled a significant number of vulnerabilities across different connected objects. It found out that 51% of consumers were unaware of smart objects that were used, while 75% of devices violated VLAN, and 86% of healthcare deployments used recalled devices [25]. As a result, the healthcare industry found itself under the increased risk of ransomware attacks, which abused the mix of legacy systems and connected devices to disrupt operations, compromise customer data, and inflict reputational damage. Moreover, the use of deprecated software components, operating systems, and third-party software of hardware components can lead to compromised smart devices [26].

  • G2.14 – Gaps on Defense in Depth. Defense-in-depth is about being able to detect and stop what the first line of defense lets through. One of the most relevant gaps in defense in depth is to detect attacks the network firewalls have not blocked for example due to a misconfiguration, to detect attacks that network IDS or antivirus have to let pass for example because attackers have found a way to bypass signature-based detection. Intruders are using land of the land attacks to get into the networks’ systems via trusted programs that are not going to arouse any suspicions. With this tactic, intruders can get around traditional protection systems, which will not be triggered by the unusual use of apparently secure software. It also allows cybercriminals to get onto IT systems securely, and even spend several months inside without setting off any kind of alarm. Given the circumstances, it is also much harder to identify where the attack comes from compared to when certain files are used. The reason for this is that the vast majority of cybersecurity solutions are unable to detect dangerous behavior when it is carried out using tools classified as legitimate. For these reasons, it is necessary to identify and enable new methods for security monitoring, response, and recovery against the existing security solutions such as blacklisting/whitelisting, antivirus-like approaches, and anomaly detection.

  • G2.15 – Gaps on attack surface awareness. Knowing the network attack surface is very complex and request a lot of time since it includes visibility on all the networks’ systems where unauthorized users or attackers can exploit vulnerabilities to gain access to systems and stage an attack.  One of the main gaps is related to this visibility on the network that, in most cases, is partial and changing over time as new technologies, users, and connections are introduced, expanding the network threat surface and increasing the number of attackable points and the overall risk. The human factor is also a growing concern, especially considering the increasing number of remote workers due to the COVID. To secure remote workers, additional technologies and tools have been adopted. But also, in this case, new tools need to be securely integrated into a tech stack. Misconfigured software or technology can introduce security gaps, exposing the users to new threats. These aspects imply that networks and systems are becoming more complex, increasing the threat surface, and making it harder to spot attacks early and take appropriate action to mitigate cyber threats.

  • G2.16 – Security of the new Open Radio Access Network model. Open RAN is an emerging model to build the RAN for mobile operators [27]. The new model is attractive to the operators because it permits the reduction of both CAPEX and OPEX, by adopting open hardware and open software; at the same time, it breaks the traditional vendor lock-in in favor of true market competition. However, there are challenges associated with the new model that still have to be better identified and correctly managed. From the security point of view, the multi-vendor environment will increase the threat surface, especially because new software, new interfaces, new protocols will be deployed in the field, in particular for the 5G. Moreover, new emerging vendors, with little or no experience, will enter the market.

  • G2.17 – Gaps on the security of network slicing. Network slicing sets up several vulnerabilities that security mechanisms designed into 5G’s Service Based Architecture are not currently resourced to detect and protect against. Current security mechanisms in 5G architectures are focused on detecting and protecting against a malicious User Equipment (UE), but less so in filtering signaling between and within Network functions and slices themselves. The underlying problem is that no layer matching is mandated by the specifications. Recent research [28] examined 5G core networks that contain both shared and dedicated network functions, revealing that when a network has these ‘hybrid’ network functions that support several slices there is a lack of mapping between the application and transport layers identities. This is a relevant gap since i) operators will share network functions between slices and ii) slices may also need to communicate with each other. This flaw in the industry standards has the impact of creating an opportunity for an attacker to access data and launch denial of service attacks across multiple slices if they have access to the 5G Service Based Architecture. For example, a hacker comprising an edge network function connected to the operator’s service-based architecture could exploit this flaw in the design of network slicing standards to have access to both the operator’s core network and the network slices for other enterprises.

  • G3.24 – Gaps on the configuration of cloud storage. Security issues in cloud computing occur as a result of oversights and superficial audits. This makes cloud servers vulnerable to breaches. Types of misconfiguration include using default cloud security settings of the server, mismatched access management that causes an unauthorized person to get access to the sensitive data, and garbled data access in which confidential data is left open to everyone [29]. In 2017, misconfiguration of the AWS server left the top-secret army and NSA data publicly accessible by anyone [30].

  • G4.10 – Gaps on the distributed data and frameworks. Analyzing big data requires organizations to spread it over multiple systems, which is usually done with Hadoop. However, accomplishing security requirements in Hadoop is a challenging task, which reflects in difficulties in detecting data breach when it occurs. Moreover, attackers can render MapReduce useless by displaying incorrect lists of values and key pairs [31][32][33].

  • G4.11 – Gaps on the use of non-relational databases. Since relational databases sometimes have difficulties handling big data due to the scalable and diverse nature of big data, non-relational databases (NoSQL) are often the solution for handling big data. Despite overcoming some shortcomings of the relational databases by providing more flexibility and scalability, NoSQL databases lack the security that is inherent in relational databases. Mitigating the lack of security in NoSQL databases requires additional workarounds, such as using middleware or setting the database in a trusted environment with additional security options, which is often not simple to accomplish [31].

[1] New Security Guidance for Early Adopters of the IoT https://cloudsecurityalliance.org/download/new-security-guidance-for-early-adopters-of-the-iot/

[2] Jordi Cucurull, Sandra Guasch, Virtual TPM for a secure cloud: fallacy or reality?, RECSI 2014

[3] See Peter W. Shor “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer” in https://arxiv.org/abs/quant-ph/9508027 and Bernstein “Introduction topost-quantum cryptography” in http://www.springer.com/it/book/9783540887010

[4] See https://www.trust.informatik.tu-darmstadt.de/publications/publication-%20details/?no_cache=1&tx_bibtex_pi1[pub_id]=TUD-CS-2013-0089, or Berson et al. Cryptography as a Network Service in http://www.csl.sri.com/users/ddean/papers/ndss2001b.pdf

[5] A. Arman, S. Foresti, G. Livraga and P. Samarati, “A Consensus-based Approach for Selecting Cloud Plans,” in 2016 IEEE 2nd International Forum on Research and Technologies for Society and Industry Leveraging a better tomorrow (RTSI), Bologna, IEEE, 2016, pp. 1-6

[6] See https://www.compuquip.com/blog/cloud-security-challenges-and-risks

[7] See https://accedere.io/pdf/Cloud%20Security%20Assessment.pdf

[8] See https://cloudsecurityalliance.org/blog/2020/02/18/cloud-security-challenges-in-2020/

[9] See https://itstillworks.com/operating-system-security-issues-6691860.html

[10] See https://www.iisec.ac.jp/proc/vol0005/hashimoto13.pdf

[11] S. V. Adve and K. Gharachorloo, “Shared Memory Consistency Models: A Tutorial,” IEEEComp, vol. 29, pp. 66-76, 1996.

[12] G. Boudol and G. Petri, “Relaxed memory models: an operational approach,” ACM SIGPLAN Notices, vol. 44, pp. 392-403, 2009.

[13] M. F. Atig, A. Bouajjani, S. Burckhardt and M. Musuvathi, “On the verification problem for weak memory models,” in Proceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, New York, 2010, pp. 7-18.

[14] P. K. Rath and G. Anil, “Proposed Challenges and Areas of Concern in Operating System Research and Development,” arXiv preprint arXiv:1205.6423, 2012.

[15] Lei Xu, Chunxiao Jiang, Jian Wang, Jian Yuan, and Yong Ren. Information security in big data: privacy and data mining. Ieee Access, 2:1149–1176, 2014.

[16] Kaihe Xu, Hao Yue, Linke Guo, Yuanxiong Guo, and Yuguang Fang. Privacy-preserving machine learning algorithms
for big data systems. In 2015 IEEE 35th international conference on distributed computing systems, pages 318–327. IEEE, 2015.

[17] Akond Ashfaque Ur Rahman and Laurie Williams. Software security in devops: synthesizing practitioners’ perceptions and practices. In 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED), pages 70–76. IEEE, 2016.

[18] Reuben Binns. Fairness in machine learning: Lessons from political philosophy. In Conference on Fairness, Accountability and Transparency, pages 149–159. PMLR, 2018

[19] Elizabeth Gibney. The battle for ethical ai at the world’s biggest machine-learning conference. Nature, 577(7791):609–610, 2020.

[20] Cloud Security Alliance (CSA), “The Six Pillars of DevSecOps: Collective Responsibility”. https://cloudsecurityalliance.org/artifacts/devsecops-collective-responsibility/

[21] When Cloud Meets COVID-19, Opportunities and Threats Emerge  https://www.gartner.com/en/documents/3983341/when-cloud-meets-covid-19-opportunities-and-threats-emer

[22] Remote Work in an Age of COVID-19 — Threat Modeling the Risks https://www.fireeye.com/blog/executive-perspective/2020/03/remote-work-in-an-age-of-covid-19-threat-modeling-the-risks.html

[23] State of the IoT Q1/2020 & COVID-19 Impact: https://iot-analytics.com/product/state-of-the-iot-q1-2020-covid-19-impact/

[24] IOT SECURITY ISSUES IN 2021: A BUSINESS PERSPECTIVE, https://www.thalesgroup.com/en/markets/digital-identity-and-security/iot/magazine/internet-threats

[25] Threat highlight: Analysis of 5+ million unmanaged, IoT, and IoMT devices, https://www.helpnetsecurity.com/2020/07/24/analysis-of-5-million-unmanaged-iot-and-iomt-devices/

[26] THE TOP 1- IOT SECURITY THRETAS AND VULNERABILITIES, IOT SECURITY ISSUES IN 2021: A BUSINESS PERSPECTIVE, https://blog.particle.io/the-top-10-iot-security-threats/

[27] O-RAN ALLIANCE is Transforming the Radio Access Network Industry Towards Open, Intelligent, Virtualized and Fully Operable RAN, https://www.o-ran.org/

[28] ‘Major’ security flaw detected in 5G core network slicing design, https://www.computerweekly.com/news/252498422/Major-security-flaw-detected-in-5G-core-network-slicing-design

[29] CLOUD COMPUTING SECURITY RISKS IN 2021, AND HOW TO AVOID THEM, https://theappsolutions.com/blog/development/cloud-security-risks/

[30] TOP secret Army, NSA data found on public internet due to misconfigured AWS server, https://www.cyberscoop.com/nsa-army-leak-red-disk-aws-upguard-chris-vickery/

[31] 6 Big Data Security Issues for 2019 and Beyond, https://rtslabs.com/6-big-data-security-issues-for-2019-and-beyond/

[32] 9 Key Big Data Security Issues, https://cybersecurity.att.com/blogs/security-essentials/9-key-big-data-security-issues

[33] Big Data Security: Challenges and Solutions, https://www.dataversity.net/big-data-security-challenges-and-solutions/#