I am asking for possible subjects and ideas for my cybersecurity bachelor thesis. I have 10+ years of experience as fullstack dev and sysadmin. I have been following HN for a long time and learned so many things. I am not expecting a thesis idea, but a discussion would definetely help me think about possibilities and widen my horizon.<p>I already have few items in my list, but I can't find any of these strong enough, because they are either too general or too vague: - Container (Docker, etc) security
- Media originality check (eg anti-deep fake or propaganda)
- Security of IoT data, especially in cloud
- Security of health care (don't know how)
What about companies not taking responsibility of their own data?<p>You could talk about how FB makes $15 per quarter from users and they give up X,Y,Z of data. Yet 90% of the userbase wouldn't pay $15 a month for a advertisement free platform.<p>Alternatively, how about the Equifax hacks? And your Thesis could be on pricing users data. And viable compensation measures.
SOAR platforms and how ML can help is a good topic for you. (Check out siemplify and demisto). No FOSS solutions to date for SOAR!<p>Cheap and good cross-platform endpoint security,reducing and simplifying the overhead of managing endpoint security is also another.<p>Email security is also big but not as popular of a topic (again,no cheap or foss solutions other than a DIY mess you hope management will accept).<p>I am personally interested and working around the area of methodical approaches to blue teaming. MITRE's ATT&CK techniques have laid some basic foundations. Different people or companies basically throw money on an expensive solution(s) and even more expensive staff and basically put forth a best effort use of tools and skills,which isn't bad but even with good threat modelling,attackers will still find a way and typically you just throw darts in the dark or use buest guess (or popular trends). Methodically defining attacker techniques against your specific environment,threat hunting based on attacker techniques,continually updating your tools+skills+processes will allow for measurable increase in maturity and actual ability to find and respond to attacks.<p>Like it or not,the biggest gaps in security are architectural,process and managerial in nature. But I hope the more technical ideas I mentioned helps, there are also other trendy things like "zero trust". As a dev and admin you should definetly look at SOAR and challenges around collecting and storing very high volume of logs efficiently and cheaply.
I'm currently interested in mining bug bounty disclosed reports and bounty hunter profiles to come up with archetypes of both defending organizations and attacking groups/individuals.<p>Long term, I would like to see attack+defense hacking incidents run as computer simulations (in a framework like OpenAI's "gym"), but I suspect the public (outside of intelligence and a few select private cybersecurity companies) doesn't have enough information to build this type of model yet. Developing sensors and converting raw data into information to be able to build those models is a prerequisite.
Generally, the biggest problem is that many companies just don't see updates as all that important unless they're offering a computer program or internet service. Many smart devices, IoT devices, etc don't get updates at all, which leaves them wide open to anyone with the technical knowhow to attack them. Especially if they're internet connected, like many of them are.<p>Getting companies to issue updates and fix security problems in these devices seems like one of the most important issues we're dealing with security wise.
Cryptocurrency has some pretty interesting security implications. There are threats to individual keys, as well as threats from hackers who find flaws in smart contracts.
Supply chain security is another interesting one. Both hardware and software. Products are built with components from many suppliers, from all over the world, and understanding the security of these is hard. All the current geopolitical excitability / nation state influences make this topical. NSA intercepting networking hardware and implanting monitoring, or AV software build pipelines being compromised; there’s a lot to think about and improve.
Log management. Specifically tracking what you are currently ingesting vs what you could be. Basically a visibility dashboard.<p>Another is automated testing of detections on a regular basis. Although some people are doing this with the automated pentests and stuff. I would like to see a platform that imports your current rules and generates attacks based off of them. Then it can run once a month to make sure your alerts are firing.
I think that a lack of a simple identity and authentication solution is a problem. In some sense, it makes no sense that file permissions and website logins are two different authentication schemes.
Institutional challenges in implementing information security best practices.<p>We know how to be secure, but lots of folks still ignore doing so until it’s too late.
A few observations. Make of them what you will.<p>Basic fraud is still 100x larger of a problem than the more exotic/interesting cybersecurity problems. Former Facebook CSO Alex Stamos had a convention talk[1] about this. The average cybersecurity problem is still of the template like:<p><pre><code> - Nigerian 419 scam (or similar social media fake account used to pull heartstrings)
- Romanian spam email e-commerce
- 12 year old boy steals parents credit card info to pay for $100s in Fortnite (or similar vidya game) customizations
- 15 year old girl is convinced to give her website credentials to her friend for fear of social reprisals
- Harvesting of contact info + Open Source Intelligence for more traditional phone scams
</code></pre>
There is an arms race in just about every aspect of cybersecurity:<p><pre><code> - Detection of fraud versus bypass
- IDS/WAF attack signatures
- Email spam filters
- Endpoint malware detection signatures
- Behavior detection (like conditional challenges via ReCaptcha or for Google authentication)
- Math+security researchers try hard to break cryptographic hash schemes (using techniques more efficient than just brute force)
</code></pre>
Game theory is a large part of cybersecurity, because it's largely a human endeavor (even if it's executed by software/bots). The paid bug bounty programs are an interesting exercise in economics and markets (as a bug bounty hunter how they choose a target from all of the possible companies that participate in bug bounty programs).<p>Cybersecurity is an asymmetric game, as it is currently set up. The attacker "only has to be right once", whereas the defender "has to be right all the time". IT teams "think in lists", whereas hackers "think in graphs".<p>It's easier than ever to automate security and updates, but increasingly it takes more and more cognitive effort to set up those systems (which inevitably slow down business) so the long-term-optimal is frequently abandoned for the short term convenience.<p>The massive explosion of social media in the past 10 years could have compromised OpsSec for an entire generation of computer operators. When we post credit card details on Twitter[2], it's clear that the average person needs to have better OpsSec.<p>OpsSec is bad even when not on social media, as shown when hackers saw account credentials on a desk in the background of a television interview[3]. Kids are conditioned by their parents to share their passwords, then develop the bad habit of sharing passwords as a sign of affection for their social peers[4].<p>AI/ML and Quantum Computing have the <i>potential</i> to cause a massive shift in the current attack/defense posture and current security practices, but when it might show up in practical applications is anyone's guess.<p>There are legal+policy questions about whether we should try and entrust secret keys to all smart devices to the manufacturer, police, or intelligence services. Even among the Five Eyes countries, the answers to these questions are currently in very different places.<p>[1] <a href="https://youtu.be/YJOMTAREFtY?t=1099" rel="nofollow">https://youtu.be/YJOMTAREFtY?t=1099</a><p>[2] <a href="https://twitter.com/Needadebitcard" rel="nofollow">https://twitter.com/Needadebitcard</a><p>[3] <a href="https://arstechnica.com/information-technology/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/" rel="nofollow">https://arstechnica.com/information-technology/2015/04/hacke...</a><p>[4] <a href="https://www.nytimes.com/2012/01/18/us/teenagers-sharing-passwords-as-show-of-affection.html" rel="nofollow">https://www.nytimes.com/2012/01/18/us/teenagers-sharing-pass...</a>