Confidentiality - PowerPoint PPT Presentation

1 / 85
About This Presentation
Title:

Confidentiality

Description:

Compromised machine where attacker is able to access data thought to be secure ... DoJ subpeonaed nearly all major ISPs and search engines ... – PowerPoint PPT presentation

Number of Views:263
Avg rating:3.0/5.0
Slides: 86
Provided by: andre4
Category:

less

Transcript and Presenter's Notes

Title: Confidentiality


1
Confidentiality
  • Information Assurance Policy(95-803)
  • Danny Lungstrom
  • Senthil Somasundaram

  • 03/27/2006

2
Overview of Security
  • Goals of IT Security CIA Triad
  • Confidentiality
  • Integrity
  • Availability

3
CIA Triad
Ref Security In Computing - Charles Pfleeger
4
Confidentiality Defined
  • Confidentiality ensures that computer-related
    assets are accessed only by authorized parties.
    That is, only those who should have access to
    something will actually get that access. Access
    means not only reading but includes viewing,
    printing (or) simply knowing that a particular
    asset exists. Also known sometime as secrecy (or)
    privacy.
  • Ref Security In Computing
    - Charles Pfleeger

5
Risks
  • Types Of Risk
  • Legal Risks
  • Fines, liability lawsuits, criminal prosecution
  • Financial Risks
  • Numerous costs involved including losing
    customer's trust, legal fees, fines
  • Reputational Risks
  • Loss of trust
  • Operational Risks
  • Failed internal processes insider trading,
    unethical practices, etc.
  • Strategic Risks
  • Financial institutions future, mergers, etc.

6
Threats to Confidentiality
  • Access to confidential information by any
    unauthorized person
  • Intercepted data transfers
  • Physical loss of data
  • Privileged access of confidential information by
    employees
  • Social engineered methods to gain confidential
    information
  • Unauthorized access to physical records
  • Transfer of confidential information to
    unauthorized third parties
  • Compromised machine where attacker is able to
    access data thought to be secure

7
Threats in the Case Study
  • Scheduling information regarding national level
    speakers/sensitive private meetings highly
    restricted
  • Concerns over unauthorized access as a result of
    leaks includes leaks to press as well as
    opposition/protest groups
  • Concerns over leaks via IT from opposition
    groups within the national organization
  • Loss of trust in decisions made at event
  • Can include public exposure of sensitive data
  • Loss of privacy, yielding decreased impact on
    event, decreased participation with organization
  • Individuals of prominence can lose privacy can
    include a physical security risk (schedules,
    timetables, etc.)
  • Such a loss may not directly impact event
    impact delayed
  • Can result in loss of Sponsorship, financial
    support, public perception of competence

8
Threats from Case Study
  • Common theme leaking private data
  • Strict access controls are crucial to protecting
    the confidential information
  • Those who should have access to the confidential
    information should be clearly defined
  • These people must sign a very clear
    confidentiality agreement
  • Should understand importance of keeping the
    information private

9
Financial Importance
  • Financial losses due to loss of trade secrets
  • According to Computer Security Institute's 6th
    Computer Crime and Security Survey
  • the most serious financial losses occurred
    through theft of proprietary information
  • 34 respondents reported losses of
    151,230,100
  • That's 4.5 million per company in 1 year!!!

10
Trade Secrets
  • As name implies, must be kept secret
  • No registration/approval or standard procedure
  • Somewhat protected if company takes measures to
    ensure its privacy
  • Quick and easy
  • No formal process, just ensure only those that
    should know about it do
  • Limited protection
  • Not protected against reverse engineering or
    obtaining the secret by honest means

11
Trade Secrets (2)
  • Why trade secrets?
  • Filing for a patent makes the information public
  • Quick
  • How to protect
  • Enforce confidentiality agreements
  • Label all information as Confidential for the
    courts
  • How long do trade secrets remain secret?
  • Average is 4 to 5 years
  • Expected to decrease in the future with
    advancements in reverse engineering processes

12
Best Kept Trade Secrets
  • Coca-cola
  • Coca-Cola decided to keep its formula secret,
    decades ago!
  • Only known to a few people within the company
  • Stored in the vault of a bank in Atlanta
  • The few that know the formula have signed very
    explicit confidentiality agreements
  • Rumor has it, those that know the formula are not
    allowed to travel together
  • If Coca-cola instead patented the syrup formula,
    everyone could be making it today
  • KFC's 11 secret herbs and spices

13
Phishing Scams
  • Tricking people into providing malicious users
    with their private/financial information
  • Financial losses to consumers
  • 500 million to 2.4 billion per year depending
    on source
  • 15 percent of people that have visited a spoofed
    website have parted with private/personal data,
    much of the time including credit card, checking
    account, and social security numbers

14
Phising Example
15
Help Protect Yourself
  • Don't use links from emails for sites where
    personal/financial information is to be disclosed
  • Browse to the website yourself
  • Use spam filtering to avoid much of the mess
  • Check for HTTPS and a padlock on bottom bar
  • Don't solely rely on
  • Educate yourself about the risks!
  • Check your credit report periodically

16
Legal Requirements
  • HIPAA
  • Gramm-Leach Bliley
  • FERPA
  • Confidentiality/Non-disclosure Agreements
  • ISP/Google subpoenaed examples

17
HIPAA
  • Numerous regulations on access to a person's
    health information
  • Ensure patient access to records
  • Allow them to modify inaccuracies
  • Written consent required to disclose records
  • Ensure not used for non-medical purposes (job
    screening, loans, insurance)
  • Proper employee training on respecting
    confidentiality of patients

18
What HIPAA Doesn't Do
  • Does not restrict what info can be collected,
    person just has to be informed
  • Doesn't require extremely high levels of privacy
    during medical visits, just reasonable
  • Some sort of barrier (curtains)
  • No public conversations
  • Secure documents
  • No post-it note passwords

19
Gramm-Leach Bliley Act
  • Protection for consumer's personal financial
    information
  • All financial institutions must have a policy in
    place that identifies how information will be
    protected
  • Must also identify foreseeable threats in
    security and data integrity

20
Gramm-Leach Bliley Act (2)
  • Financial Privacy rule
  • Institution must inform individuals as to any
    information collected, the purpose of the
    collection, and what is going to be done with it
  • The individual may refuse
  • Safeguards rule
  • Security policy portion of act, as described
    earlier
  • Pretexting Protection (social-engineering)
  • Institutions must take measures to protect
    against social-engineering, phishing, etc.

21
FERPA
  • Family Educational Rights and Privacy Act
  • Instructor regulations
  • Cannot provide a child's grade to anyone other
    than child/parent (no websites)
  • Cannot share info on child's behavior at school
    except to parents
  • Cannot share info on child's homelife
  • Child's instructor must do the grading, not a
    volunteer or someone else

22
ISPs Subpoenaed
  • What rights do ISP subscribers have to
    confidentiality?
  • ISPs being forced to turn over names
  • Verizon vs. RIAA
  • Verizon won the appeal
  • User vs. Comcast
  • Comcast gets sued from both ends
  • RIAA vs. Grandma
  • 83 year old Gertrude shared over over 700
    rock/rap songs, but...
  • RIAA decides to drop case...
  • Blames time it takes to get user info

23
DoJ vs. User Privacy
  • COPA (Children's Online Protection Act)
  • DoJ subpeonaed nearly all major ISPs and search
    engines
  • Search engines required to turn over searches
  • Google says this could link back to specific
    users
  • demanded production of "all queries that have
    been entered on Google's search engine between
    June 1, 2005 and July 31, 2005"

24
Google vs. DoJ
  • Is Google only pretending to care?
  • Only fighting the subpoenas in order to better
    reputation with the public?
  • Google's on our side
  • But, they mine an enormous amount of data on
    anyone that uses any of their services
  • Protecting their own trade secrets

25
Bigger Problem
  • These enormous databases exist
  • If anyone gets ahold of any portion of these
    databases, they have an unimaginable wealth of
    private information on an endless amount of
    people
  • ChoicePoint forced to pay 15 million by FTC
  • 163,000 consumer's information stolen from their
    database
  • Names, SSNs, credit history, employment history,
    etc.
  • Led to at least 800 cases of identity theft
  • http//www.privacyrights.org/ar/ChronDataBreaches.
    htm

26
Giant Eagle Example
  • Giant Eagle's Loyalty Program
  • Nearly 4 million active users in 2005
  • User's purchases at both the grocery store and
    gas station are knowingly monitored, but still 4
    million think the invasion of privacy is worth
    the savings
  • Can even link the card to fuel perks, enable
    check cashing and video rental service!
  • Also use card at 4,000 hotels, Avis, Hertz,
    Alamo, numerous local retailers, sporting events,
    museums, zoos, ballets, operas, etc.
  • Basically as much info as you're willing to give
    them they'll take... and use for what else?

27
Giant Eagle (2)
  • From the privacy policy
  • Giant Eagle does not share your personal
    information or purchase information with anyone
    except
  • As necessary to enable us to offer you savings on
    products or services or
  • As necessary to complete a transaction initiated
    by you through the use of your card

28
Writing Policies
  • Ask numerous questions before beginning
  • What information is confidential?
  • The broader the definition the better (for the
    discloser)
  • Who should be allowed to access this information?
  • Create a list and have them sign confidentiality
    agreements
  • How long is it to remain confidential?
  • Longer the time frame, the harder to keep
    confidential
  • What type of security policy is needed?
  • What sort of organization is it for?
  • What level of confidentiality is necessary for
    the given organization?

29
Further Risk Assessment
  • Basic questions
  • Who, what, when, where, why, how?
  • Who?
  • Who should have access, who shouldn't
  • Ensure they must properly authenticate in order
    to access information, so that who is ensured
  • non-repudiation

30
Further Risk Assessment (2)
  • What?
  • What needs to be kept confidential?
  • When?
  • How long must it remain secure?
  • Where?
  • Where is this confidential data going to be
    safely stored?
  • File server, workstation, removable media,
    laptop, etc.

31
Further Risk Assessment (3)
  • Why?
  • Law
  • FERPA, HIPAA, etc.
  • Specified in end-user agreement
  • User trust
  • How?
  • What means are to be used to ensure it's
    protection?
  • Access controls, encryption, physical barriers,
    etc.

32
(No Transcript)
33
(No Transcript)
34
Types of Security Policies
  • Military Security (governmental) Policy
  • Commercial Security Policies
  • Clark-Wilson Commercial Security Policy
    (Integrity)
  • Separation of Duty (Integrity)
  • Chinese Wall Security Policy (Confidentiality)

35
Military/Government Security Policies
  • Goal Protect private information
  • Uses ranking system on levels of confidentiality
  • Need-to-know rule
  • Compartmentalized
  • Combination of (rank compartment) is its
    classification
  • Clearances are required for different levels of
    classification
  • Access based on dominance
  • Combination of sensitivity and need-to-know
    requirements

36
Information Sensitivity Ranking
Compartment 1
Compartment 2
Compartment 3
Ref Security In Computing - Charles Pfleeger
37
Commercial Security Policies
  • Less rigid and hierarchical
  • No universal hierarchy
  • Varying degree of sensitivity
  • E.g. Public, Proprietary and Internal
  • No formal concept of clearance
  • Access not based on dominance, as there are no
    clearances

38
Chinese Wall Policy
  • Conflicts of interest
  • Effects those in legal, medical, investment,
    accounting firms
  • Person in one company having access to
    confidential information in a competing company
  • Based on three levels for abstract groups
  • Objects
  • Files
  • Company Groups
  • Collection of files
  • Conflict Classes
  • Company groups with competing interests

39
Chinese Wall Policy (2)
  • Access control policy
  • Individual may access any information, given that
    (s)he has never accessed any information from
    another company in the same conflict class
  • So, once individual has accessed any object in a
    given conflict group, they are from then on
    restricted to only that company group within the
    conflict group, the rest are off-limits

40
Chinese Wall Illustrated
Initially
After choosing B and D
Ref Security In Computing - Charles Pfleeger
41
Writing the CA
  • After considering these various questions, it is
    time to actually write the policy
  • Contents should include
  • Obligation of confidentiality
  • Restrictions on the use of confidential
    information
  • Limitations on access to the confidential
    information
  • Explicit notification as to what is confidential
  • These things should all be considered when
    writing the policy for the case study

42
Access controls
  • Locking down an OS
  • Principle of Least Privilege
  • Password Management
  • User policies
  • what if someone calls and needs password
  • anti-social engineering

43
OS Lockdown
  • Step 1
  • Identify protection needed for various files/objs
  • Separate information/data into categories and
    decide who needs what type of access to
    it
  • Distinguish between local and remote
    access
  • Step 2
  • Create associated user groups
  • Groups derived from first step above
  • Simply create these groups and assign appropriate
    members

44
OS Lockdown (2)
  • Step 3
  • Setup access controls
  • General practices
  • Deny as much as possible
  • Disable write/modify access to any executables
  • Restrict access to OS source/configuration files
    to admin
  • Only allow appends to log files
  • Analyze access control inheritance
  • UNIX/Linux specific
  • No world-writable files
  • Mount file system as read-only
  • Disable suid
  • Make kernel files immutable

45
OS Lockdown (3)
  • Step 4
  • Install/configure encryption capabilities
  • Depending on how confidential information is,
    either use OS encryption or add 3rd party
    software to do the job
  • Necessary if OS access controls are not overly
    configurable
  • Step 5
  • Continue to monitor!
  • Make sure things are as expected

Source CERT.org
46
Database Access
  • Databases often house an enormous amount of
    desired data about people (CCs, SSNs, etc.)
  • Must pay special attention to access
  • Defense in depth
  • Only allow specific users access
  • Limit these users as much as possible
  • Encrypt information in database
  • Encrypt information in transfer
  • IPSec, SSL, TLS
  • Patch!

47
Password Policies
  • Confidential information is protected by some
    means of authentication, often passwords
  • How confidential the password protected
    information is depends on the strength of the
    password used
  • Tips
  • Not dictionary based
  • More than 8 characters (the more the merrier)
  • Combination of letters, numbers, and special
    chars
  • Not related to user
  • Not related to login name
  • Don't reuse the same password for all accounts!

48
Encryption for Confidentiality
  • When to use
  • Anytime you wouldn't want anyone/everyone to
    see what you're doing
  • Financial transactions
  • Personal e-mails
  • Anything confidential
  • Various solutions
  • PGP, S/MIME, PKI, OpenVPN, SSH, SFTP, etc.
  • Drawbacks/difficulties
  • May not be allowed
  • Not always user friendly
  • Not what used to

49
Regulated Encryption
  • Should their be more stringent guidelines for
    using various encryption techniques?
  • Many in gov't said yes after 9/11 and pushed for
    reform
  • Senator Judd Gregg pushed to require that the
    gov't be given the keys to decrypt everyone's
    messages if necessary
  • Much debate, as terrorist may encrypt messages,
    and not even NSA can decrypt (so they say)
  • Would this help? Would the terrorists use
    encryption methods that the gov't could decrypt
    and would they provide them with keys? Or is this
    just a privacy invasion for all non-terrorists?

50
Email Policy
  • Popular encryption methods
  • PGP
  • Entrust
  • Hushmail
  • S/MIME
  • Should employees be allowed to encrypt
    messages at work?
  • May want to secure confidential business trade
    secrets or other work-related data
  • Would you want work related info sent out on a
    postcard?
  • May just want to email friends and not be
    monitored

51
Email Policy
  • Clearly define proper use of e-mail at work
  • What is allowed and what is not
  • State any monitoring activity in confidentiality
    notice ensure users know they are being
    monitored if they are
  • Specify authorized software that can be used for
    e-mail
  • Disallow running executable files received as
    attachments
  • Could allow for further breaches
  • Define e-mail retention policy

52
Network policies
  • Separate servers based on services and levels of
    confidentiality required
  • A public file server or database should not also
    house confidential information
  • Case study Various services needed
  • Separate confidential from public
  • Separate by which groups are to be allowed access

53
Event Network
Operations (8-9 Servers, 200 PCs)
Organization (10 Servers, 400 PCs)
PodiumSchedulingVotingCommunicationsSponsor
AccessParticipant Access
FinancialHuman ResourcesContractingCommunicatio
nsPublic RelationsNetwork Operations
Venue
Internet
Media
Source 95-803 course slides
54
Break Time!
  • Josh was supposed to bake cookies, but he
    misplaced his apron - sorry

55
Confidentiality
  • Device and Media Control
  • Backups
  • Physical Security
  • Personnel Security
  • Outsourcing/Service Providers
  • Incident Response

56
Device Media Control
  • Device and Media Control

Ref www.securewave.com
57
Device Media Issues
  • What are the issues?
  • Growing Pain!!!
  • Number of devices on the raise
  • Increased security risk
  • Technology race for faster, smaller, cheaper and
    higher capacity devices
  • Less than 5 minutes to copy 60GB data
  • 2GB memory can hold up to 400,000 pages
  • Devices are cheap but the information may be
    expensive

58
Risks
59
Privacy Vs Security
60
Smart Phones
61
Policy Device Media
  • Define a device and media control policy
  • What to consider?
  • Ban the use of all mobile media?
  • Governing may be more practical then prohibiting
    the mobile devices
  • Identify and list authorized devices/media
  • Define their acceptable method of usage
  • Keep track of devices connected to your network
  • Associate devices to valid users

62
Policy Device Media(2)
  • What to consider?
  • Password protection on all mobile devices
  • Disallow storing of sensitive information on
    mobile devices
  • Encryption
  • Govern the use of personal devices on corporate
    environment
  • Take into account the convergence of data and
    telecom
  • Train and educate your employees on protection of
    devices and media

63
Device Media Disposal
  • Define a policy for device media disposal
  • Ensure complete sanitization before the
    equipment/media is re-used (or) disposed
  • Provide guidelines on standard for media
    sanitization
  • Monitor media disposal by third party
  • NIST guidelines for media sanitization
  • http//csrc.nist.gov/publications/drafts/DRAFT-sp8
    00-88-Feb3_2006.pdf

64
Case Study Options (1)
  • Device Media Control Policy Options
  • Classify the information to be protected
  • Prohibit copying classified confidential
    information to mobile devices including
    laptops/PDA/USB storage etc
  • Provide printing/e-mailing/download options only
    for non-confidential data
  • Enforce encryption of data on all storage media
  • Identify and specify authorized type of devices
    that can be connected to network

65
Case Study Options (2)
  • Device Media Control Policy Options
  • Require wireless devices be registered before
    getting connected to the network
  • Disable any direct external mobile device
    attachments to network with highly confidential
    information
  • Provide only dump terminals for public/media
    access so that no external devices can be
    attached to network
  • Ban use of cell phones during private sessions

66
Backups
  • Backups security often overlooked
  • Why are they important?
  • Due to concentration of data the degree of
    confidentiality is as high as original data
  • Confidentiality requirements for information
    apply to backed up data
  • HIPAA requires compliance methodologies for
    backups also.
  • Archives/Business History

67
Backups (2)
  • Security factors
  • Storage of backup data
  • Transfer of backup data
  • Security of networks used to backup data
  • Software Media

68
Backups Policy (1)
  • What to consider?
  • Procedure for backups
  • Allowable software and storage media
  • Encryption of confidential data
  • Guidelines for storage
  • Guidelines to protect the documents with
    information about backups encryption keys,
    location etc
  • Patches for backup software

69
Backups Policy (2)
  • What to consider?
  • Inventory
  • Testing
  • Security of networks used for backups
  • Garbage collection of obsolete backups
  • Sanitization of backup media before disposal
  • Transportation methods
  • Procedures
  • http//csrc.nist.gov/fasp/FASPDocs/contingency
    -plan/Backup-And-Recovery.pdf

70
Physical Security
  • Why is it required?
  • First line of defense preventing loss of
    confidentiality
  • Physical attacks requires minimal effort
  • Protects information assets from unauthorized
    access
  • All security policy enforcements will be a
    non-factor without physical security
  • Security lapses increases risk of both insider
    and outsider attacks
  • Protects confidential information assets from
    natural and environmental hazards

71
Physical Security (2)
  • Privacy Vs Security
  • Appropriate levels
  • What can we do?
  • Consider multilayer security approach
  • Environment of authorized personnel only
  • Physical barriers like fence, guards, alarms and
    surveillance video etc..
  • Maintain an inventory of computer hardware and
    label them for identification
  • Limit access to your hardware

72
Physical Security (3)
  • What can we do?
  • Deploy your servers with confidential information
    only in physically secure locations
  • Restrict physical access to your information
    assets by third parties.
  • Document visit procedures and method of access
    for third parties
  • Conduct periodical physical security audits for
    compliance
  • Enforce security practices to prevent dumpster
    diving
  • National Industry Security Program Operating
    Manual NISPOM
  • http//www.fas.org/sgp/library/nispom/nispom
    2006.pdf

73
Insider Threat
74
Personnel Security
  • Importance?
  • Insider threats are real
  • Employee security practices play a vital role in
    protecting
  • confidential information
  • What to consider?
  • Employment terms needs to include role and
    responsibility of employee in protecting
    confidential information
  • Employment terms must state penalties for
    violation
  • Carry out background checks
  • Training on security
  • Training on protection of trade secrets and
    intellectual property rights
  • Employees are also part of corporate assets
  • Protect and safeguard employees

75
Outsourcing
  • Confidentiality Issues
  • Reduction in cost but increases risk
  • Dependence on service providers
  • Can the vendors be trusted with handling
    confidential data?
  • Vendors may be handling data and dealing with
    information systems of competing companies
  • Offshore Can US regulations be enforced on
    third world countries?
  • Non-disclosure agreements in offshore projects
  • Can all institutions outsource?

76
Outsourcing (2)
  • Mitigation of Risks
  • Define goals, scope and risks
  • Assess information risk Vs benefits
  • Evaluate service providers capability to handle
    confidential information
  • Determine contractors ability to comply with
    security requirements
  • BITS IT Service Provider Service Expectations
    Matrix
  • http//www.bitsinfo.org/downloads/Publications20
    Page/bitsxmatrix2004.xls

77
Outsourcing (3)
  • Evaluate Service Providers (BITS Method)
  • Security Policy
  • Organizational Security
  • Asset Classification Control
  • Personnel Security
  • Physical Environment Security
  • Communications and Ops Management
  • Systems Development and Maintenance
  • Business Continuity
  • Regulatory Compliance

Ref www.bitsinfo.org
78
Outsourcing (4)
  • Privacy and Confidentiality Considerations
  • Review privacy policy of the service provider for
    adequacy
  • Understand how the policy is implemented and
    communicated
  • Review privacy policy employee training and
    tracking
  • Review service providers employee confidentiality
    agreements
  • Review service provider policy for employee
    privacy policy violations

Ref www.bitsinfo.org
79
Outsourcing (5)
  • Privacy and Confidentiality Considerations
  • Review adequacy of privacy for service providers
    contract staff
  • Review procedures to retain, protect and destroy
    non-public information
  • Access service providers diligence in legal,
    regulatory and compliance areas
  • Comparing the companys privacy policy with
    service providers policy and identifying gaps
  • More
  • http//www.bitsinfo.org/downloa
    ds/Publications20Page/bits2003framework.pdf

Ref www.bitsinfo.org
80
Options For Case Study
  • Service Provider Policy Considerations
  • Evaluate the vendors privacy policy including the
    venue of the event for adequacy
  • Require vendors to prove compliance before the
    finalization of contract
  • Have all third parties/vendors sign NDA
  • Ensure through background checks before hiring
    contract staff for the event
  • Include all confidentiality agreements in
    contract and severe penalty clause for lapses

81
Incident Response (1)
  • Purpose?
  • Effective and quick response necessary to limit
    the damage
  • Regulations calls for corporate incident policies
    and procedures
  • Policy and plan required to assess the damage and
    respond appropriately
  • Plan for recovery from the damage and business
    continuity
  • Improves your chances of survival after breach

82
Incident Response (2)
  • Policy Considerations
  • Define incident reporting and handling work flow
  • Identify incident handlers and their
    responsibilities
  • Educate and train your employees on incident
    reporting
  • Legal Compliance
  • Procedures to contact law enforcement
  • Evidence collection
  • CERT Handbook
  • http//www.sei.cmu.edu/publications/documents/03.
    reports/03hb002.html

83
Trust
  • Reason?
  • Confidentiality relies highly on trust
  • Employer trusts employee
  • Employer trusts service providers
  • Trust hardware
  • Trust software
  • Is it sufficient?
  • Trust but deploy controls/procedures to validate
    trust

84
Conclusion
  • Confidentiality Not optional!!
  • Legal and regulatory compliance
  • Secure all the doors to confidential information
  • Policy and controls will provide relative
    security
  • Policy and controls will improve chances of
    survival
  • No Guarantee!!!

85
Questions
Write a Comment
User Comments (0)
About PowerShow.com