Nesnelerin İnternetinin Güvenliğinde İnsan Faktörü
Yıl 2019,
Cilt: 12 Sayı: 2, 1 - 12, 17.12.2019
Mevlüt Serkan Tok
,
Ali Aydın Selçuk
Öz
İnternete bağlı nesneler ulaşım, sağlık, enerji gibi sektörler ile akıllı
bina vb. uygulamalarda yoğun olarak kullanılmaktadır. Bu nesneler otomasyon ve
maliyet avantajlarının yanı sıra yenilikçi iş modelleri ve kullanıcı
deneyimleri sunmaktadır. Kullanıcıların internete bağlı nesnelerin konfigürasyonlarında
basit parolalar seçmesi veya bu cihazlarla birlikte gelen varsayılan parolaları
değiştirmemeleri ciddi güvenlik açıkları yaratmaktadır. Son yıllarda Mirai vb.
zararlı yazılımlar bu açıklıkları sömürerek çevrim içi nesneleri ele geçirmekte
ve dağıtık servis dışı bırakma saldırılarında saldırı unsuru olarak kullanarak hizmet
kesintilerine, maddi kayıplara ve itibar zedelenmesine neden olmaktadır. Bu
çalışmada kullanıcıların nesnelerin internetine yönelik güvenlik ve risk
algılarının, parola kullanımı ve güvenliğine dair tercihlerinin tespit edilerek
insan faktörünün nesnelerin interneti cihazlarının güvenliğindeki öneminin
ortaya konulması amaçlanmıştır. Katılımcılardan anket yöntemi ile veri toplanarak
elde edilen bulgular tartışılmış, Türkiye pazarında nesnelerin interneti cihazlarının
tekil olmayan varsayılan parolalar ile kullanıcılara arzını engelleyecek tedbirler
önerilmiştir.
Kaynakça
- [1] A. Dulaunoy, G. Wagener, and S. Mokaddem, “An extended analysis of an IoT malware from a blackhole network,” in TNC17 Networking Conference, Linz, Austria, 2017, p. 42.
- [2] “Internet of things at a glance,” Cisco, 2016. [Online]. Available: https://www.cisco.com/c/dam/en/us/products/collateral/se/internet-of-things/at-a-glance-c45-731471.pdf. [Accessed: 06-May-2019].
- [3] “OWASP Internet of Things Project,” OWASP. [Online]. Available: https://www.owasp.org/index.php/OWASP_Internet _of_Things_Project #tab=IoT_Top_10. [Accessed: 03-May-2019].
- [4] R. Hallman, J. Bryan, G. Palavicini, J. Divita, and J. Romero-Mariona, “IoDDoS - The Internet of distributed denial of sevice attacks - a case study of the Mirai malware and IoT-based botnets,” in Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security, Porto, Portugal, 2017, pp. 47–58.
- [5] J. Margolis, T. T. Oh, S. Jadhav, Y. H. Kim and J. N. Kim, "An In-Depth Analysis of the Mirai Botnet," 2017 International Conference on Software Security and Assurance (ICSSA), Altoona, PA, USA, 2017, pp. 6-12.
- [6] S. Hilton, “Dyn analysis summary of friday October 21 attack,” Dyn Blog, 26-Oct-2016. [Online]. Available: https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/. [Accessed: 05-May-2019].
- [7] ”jgamblin/Mirai-Source-Code,” GitHub, 25-Oct-2016. [Online]. Available:https://github.com/jgamblin/MiraiSourceCode/tree/master/mirai. [Accessed: 01-May-2019].
- [8] I. Zeifman, B. Herzberg, D. Bekerman, “Breaking down mirai: an IoT DDoS botnet analysis,” Imperva, 26-Oct-2016. [Online]. Available: https://www.imperva.com/blog/malwareanalysis-mirai-ddos-botnet.html. [Accessed: 07-May-2019].
- [9] Y. Xu, H. Koide, D. V. Vargas and K. Sakurai, "Tracing Mirai malware in networked system," in 2018 Sixth International Symposium on Computing and Networking Workshops (CANDARW), Takayama, Japan, 2018, pp. 534-538.
- [10] H. Sinanović and S. Mrdovic, "Analysis of Mirai malicious software," in 2017 25th International Conference on Software, Telecommunications and Computer Networks (SoftCOM), Split, 2017, pp. 1-5.
- [11] T. S. Gopal, M. Meerolla, G. Jyostna, P. Reddy Lakshmi Eswari and E. Magesh, "Mitigating Mirai malware spreading in IoT environment," in 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Bangalore, Karnataka, India, 2018, pp. 2226-2230.
- [12] L. Labrovic, “The new Okiru mirai botnet, spectre is slowing down ecommerce websites and more in this weeks news,” GlobalDots, 19-Jan-2018. [Online]. Available: https://www.globaldots .com/new-okiru-mirai-botnet-spectre-slowing-ecommerce-websites-weeks-news/. [Accessed: 08-May-2019].
- [13] G. Kambourakis, C. Kolias and A. Stavrou, "The Mirai botnet and the IoT zombie armies," in MILCOM 2017 - 2017 IEEE Military Communications Conference, Baltimore, MD, USA, 2017, pp. 267-272.
- [14] “Hacker creates seven new variants of the Mirai botnet,” AvastBlog, 25-Oct-2018. [Online]. Available: https://blog.avast.com/hacker-creates-seven-new-variants-of-the-mirai-botnet. [Accessed: 06-May-2019].
- [15] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT: Mirai and other botnets,” Computer, vol. 50, no. 7, pp. 80–84, 2017.
- [16] Y. Ji, L. Yao, S. Liu, H. Yao, Q. Ye and R. Wang, "The study on the botnet and its prevention policies in the internet of things," in 2018 IEEE 22nd International Conference on Computer Supported Cooperative Work in Design (CSCWD), Nanjing, 2018, pp. 837-842.
- [17] M. Antonakakis et al. “Understanding the mirai botnet”, in Proceedings of the 26th USENIX Conference on Security Symposium, 2017, Vancouver, BC, Canada; pp. 1093-1110.
- [18] “Nokia threat intelligence report – 2019,” [Online]. Available: https://onestore.nokia.com/asset/205835?did=d0000000016z&utm_campaign=threatintelligence18&utm_source=marketo&utm_medium=LandingPage&utm_content=report&utm_term=awareness. [Accessed: 02-May-2019].
- [19] R. Nigam, “New Mirai variant targets enterprise wireless presentation & display systems,” Unit42, 01-Apr-2019. [Online]. Available: https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/. [Accessed: 06-May-2019].
- [20] K. W. Chang, “Mirai is still alive and using multiple old exploits on home routers,” Ixia. 15-Apr-2019. [Online]. Available: https://www.ixiacom.com/company/blog/mirai-still-alive-and-using-multiple-old-exploits-home-routers. [Accessed: 03-May-2019].
- [21] M.S.Tok, “Nesnelerin İnternetinde Botnetler”, Yüksek Lisans Tezi, TOBB Ekonomi ve Teknoloji Üniversitesi, Ağustos 2019.
- [22] USCERT, “Heightened ddos threat posed by Mirai and other botnets”, Alert TA16-288A, 14-Oct-2016 (revised 30-Oct-2017). [Online]. Available: www.us-cert.gov/ncas/alerts/TA16-288A. [Accessed: 02-May-2019].
- [23] “SB-327 Information privacy: connected devices”, Senate Bill No.327, 28-Sep-2018. [Online]. Available: https://leginfo. legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327. [Accessed: 05-May-2019].
- [24] “Code of practice for consumer IOT security,” Secure by Design, 28-Feb-2019. [Online]. Available: https://www.gov.uk/government/ publications/secure-by-design/code-of-practice-for-consumer-iot-security. [Accessed: 06-May-2019].
- [25] ETSI TS 103 645 (2019). CYBER; Cyber Security for Consumer Internet of Things, European Telecommunications Standards Institute, Sophia-Antipolis, France.
- [26] “Our Increasingly Connected Lives: Survey conducted by ESET in collaboration with the National Cyber Security Alliance,” 24-Oct-2016. [Online]. Available: https://cdn3.esetstatic.com/eset/US/ resources/press/ESET_ConnectedLives-DataSummary.pdf. [Accessed: 01-May-2019].
- [27] M. Ghiglieri, M. Volkamer, and K. Renaud, “Exploring consumers’ attitudes of smart tv related privacy risks,” in International Conference on Human Aspects of Information Security, Privacy and Trust Lecture Notes in Computer Science (HAS 2017), Vancouver, Canada, 2017, pp. 656–674.
- [28] C. Mcdermott, J. Isaacs, and A. Petrovski, “Evaluating awareness and perception of botnet activity within consumer internet-of-things (IoT) networks,” Informatics, vol. 6, no. 1, p. 8, 2019.
- [29] T. Talan, C. Aktürk, A. Korkmaz, S. Gülseçen, “Üniversite öğrencilerinin akıllı telefon kullanımında güvenlik farkındalığı,” Istanbul Journal of Open and Distance Education, vol. 1, no. 2, pp. 61-75, 2016.
- [30] Ö.E. Akgün, M. Topal, “Eğitim fakültesi son sınıf öğrencilerinin bilişim güvenliği farkındalıkları: Sakarya Üniversitesi Eğitim Fakültesi örneği,” Sakarya Üniversitesi Eğitim Fakültesi Dergisi, vol. 5, no. 2, pp. 98-121, 2015.
- [31] M. Tekerek, A Tekerek, “Öğrencilerin bilgi güvenliği farkındalığı üzerine bir araştırma”, Turkish Journal of Education, vol. 2, no. 3, pp. 61-70, 2013.
- [32] “Digital in 2018 in Western Asia Part 1 - North-West”, 29-Jan-2018. [Online]. Available: https://www.slideshare.net/wearesocial/digital-in-2018-in-western-asia-part-1-northwest-86865983. [Accessed: 07-May-2019].
- [33] A. Houston, The survey handbook, Washington, DC: Department of the Navy Total Quality Leadership Office, 1997. [Online]. Available: http://unpan1.un.org/intradoc/groups/public/documents /aspa/unpan002507.pdf [Accessed: 01-May-2019].
- [34] G. Baldini, A. Skarmeta, E. Fourneret, R. Neisse, B. Legeard and F. Le Gall, "Security certification and labelling in internet of things," in 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), Reston, VA, 2016, pp. 627-632.
- [35] S. Kang and S. Kim, “How to obtain common criteria certification of smart TV for home IoT security and reliability,” Symmetry, vol. 9, no. 10, p. 233, 2017.
- [36] “Temel seviye güvenlik belgelendirmesi”, TSE. [Online]. Available: https://www.tse.org.tr/IcerikDetay?ID=2061&ParentID=3312. [Accessed: 02-May-2019].