Download
1 / 70
700 likes | 716 Views
Data Security:. Protecting data within an organization Doug Jacobson Information Assurance Center www.iac.iastate.edu. Outline. The past (slides from 1998 talk) What are the threats What is the state of the art in defense New Threat model (they are inside) Data threats Data protection.
E N D
Data Security: Protecting data within an organization Doug Jacobson Information Assurance Center www.iac.iastate.edu
Outline • The past (slides from 1998 talk) • What are the threats • What is the state of the art in defense • New Threat model (they are inside) • Data threats • Data protection
Today, is there still a problem? • One recent report • 800 million records lost • 60% were from hacking • Documented attacks against • Power grid, Banking, Transportation • (Just about every critical sector) • Heartbleed, BASH, POODLE, Sandworm, Target/HomeDepot/DQ, SONY • Does not include the attacks directed at people
What has changed in 15 years? • More attackers • More possible devices (over 7 billion) • More motivations to attack ($, IP, war) • More reliance on technology • More potential victims (users on the net) • More news coverage • More DATA to steal
What are the threats? • They are almost as many ways to classify threats as there are threats • We want to look at: • Why is this a hard problem • What are the targets • What is our risk • Who is after us
Why is threat classification hard? • There is no longer a solid perimeter • Wireless, mobile, computing everywhere • Multiple vendors providing solutions • Security is not a selling point - First to market • Outsourcing • New technologies • Change in tactics • Time compression
What is our risk? • We don’t know how important something is until we lose it. • We don’t always know what is important to others (customers, attackers) • We don’t know what we have and where it is • New technology makes it hard to keep up • New model: Assume attackers are in your network.
Who is after us? • Script kiddies • Hackers • Professionals • Nation states
Goals vs. outcomes • Goals: • Theft (money, data, etc.) • Cyber crime • Aid in physical crime or just a cyber crime • Terrorism • Aid in physical activity or cyber only • Disruption • Outcome of attack maybe the same independent of the goal.
How They do it:Attacks of opportunity • Often carried out by script kiddies • Pick on vulnerable systems • Not installing patches • Misconfigured systems • Initial configuration problems • Reconfiguration problems
How They do it: Advanced Persistent Threat • Attackers will pick a target or targets and wait until you make a mistake. • Misconfiguration • Not patching a system • Or they will target your employees with phishing emails • Get them to disclose passwords • Go to web sites to get malware • Send attachments with malware • Zero day attacks
(APT) Likely targets • The Internet of things • Power, Water, transportation, etc. • Where the money is • Banks, people, organizations (lower tech = target • Intellectual property • Technology (ag sector, manufacturing, etc) • Gain access
How They do it: Types of insider threats • Intentional– Think of the number of egress points and the number of protocols involved. • Accidental– As applications become more integrated and seamless it becomes easier to send data (email, IM, P to P) • Intentionally Accidental– As we have harden our defenses the attackers are using more social based attacks to get the users to leak information.
Careless Insider • Attackers have shifted focus to the employees and home users • Phishing • Viruses • Spyware • Social Engineering • Using Email, peer to peer, IM, web sites, software downloads
Example (Target) • Attackers had malware that reads memory and sends it to a drop site • Unclear if they picked certain retailers or just looked for ones they could insert the malware To Target main office Encrypt & verify CC reader memory
Example (Target) • Used weak security at HVAC company to get login name and password to Target • Tested software Nov 15-28 • Nov 30 pushed to most POS terminals Attackers HVAC Encrypt & verify CC reader Target Main office Malware memory To drop sites
Credit cards for sale • Home Depo theft was over a longer period
Example (SONY) • Still unclear on how they gained access. • Appears to be APT • Attackers raised the stakes in that this is one of the first attacks that caused wide spread destruction of computing resources. • Well written and very complex malware
Now lets talk about defense • First cyber security is an unfair war • Defenders must be perfect • Attackers only need to get it right once. • Law enforcement often cannot tell if something happened. • Lets look at where we are at • Prevention (defense) • Detection • Attribution
State of the art in defense • Most organizations practice defense in depth • However we are still often just reacting to events. • Some times we don’t even know they are attacking
State of the art in protection / prevention We know how to build forts and protect ourselves from the outside
Let’s talk about walls • We build lots of technology based walls around everything.
Threats against the wall SW/HW Faults Defect in the wall Threats Open door in the wall Config Faults Getting key door key from user Bad lock on the door Auth Faults Social Faults
Threats to the people • Phishing • Email attachments • Trojans • Viruses • Peer-to-Peer • Web Sites • Wireless • Social Networking
Detection • Hard to know when are being attacked • Often we know because of some other data (bank statement, audit, etc.) • Finding an attack in all of the data • Users and organizations need to play a role. • Very little information sharing to know if there is a pattern across organizations
Attribution • Very hard problem • Device attribution vs. people attribution • Easier to identify a device than the person • Often attacks come from place where information is hard to get • Many technologies allow users to hide • Need forensics • Network • Computer
The future • Internet of things • More devices than people connected to the Internet • Highly focused attacks • People • Infrastructure • New risk model • Assume they are inside already • True cyber physical attack
New threat model • This is a complex system problem • We need to assume they are or will be inside our systems • They want our data • Sell it • Use it • Destroy it • Use it against us • We need to Protect it
No easy solution • There is no longer a solid perimeter • Wireless, mobile, computing everywhere • Multiple vendors providing solutions • Home grown solutions • Adaptive attacks • Data leakage
Lets talk about data • Can you answer these questions: • How much data you have? • Where the data lives? • How many copies there are? • Who has the copies • Do they know they have a copy? • Do they know how to protect it? • Do you have a plan?
What is data? • Data acts like water • Just like the earth is mostly water most of your organization is based on data. • Water is everywhere and so is your data • Data, like water is hard to hold on to once it leaves its container. • Like water everyone wants data. • Like water many people are willing to share data when asked? • One big difference, data can be copied
Computer Information Volume • Terabyte 1,099,511,627,776 bytes • Page size 3000 bytes • Pages 366,503,875 • Ream 500 pages • Reams 733,007 Reams • Ream height 2” • Total height 1,466,014” = 122,168’ or 23 miles • Olympus Mons 78,740’
Data Leakage • Focus has been on identity theft and while that is an important issue, organizations should not forget the importance of their other data. • Increasing number of protocols • Increasing number of attackers • Increasing number of user driven applications • Increasing amount of data • Increasing government intervention • Increasing number of attacks against insiders
Data Loss Prevention • Where is your located? • Centralized, distributed, both • Who has access to your data? • Read, write, delete • Who controls your data? • Owners, users, anyone • Do you manage • Data at rest? • Data in motion? • Data in devices?
Data at Rest • Your data is stored somewhere (everywhere) • How many ways can data at rest be copied, moved, or examined • How do you find your data at rest • Discovery • How do you keep your data at rest safe • Encryption, device locking
Data In Motion • Used to keep private information from leaving • SS Numbers, Account Numbers, Records • Will either log, stop, or encrypt violating content • What is leaving your organization • Protocols • User installed applications • Confidential data
Data In Devices • Do people carry the data with them? • Phones • Laptops • Tablets • What ever the new technology is • Do people remotely access data from their mobile device?
The five Cs of data protection • Classification • Compartmentalization • Cryptography • Contingency planning • Coaching
1. Data Classification • Develop a taxonomy for the different data types (industry specific) • Decide what levels of protection are needed for each data classification • Find the data in your organization • Move, destroy, protect. • Develop a plan to keep looking for the data
Data Classification • Develop levels • Restricted • High • Moderate • Low • Decide what data fits into what level • When you are not sure you can use the FIPS 199 standard
Federal Information Processing Standards (“FIPS”) publication 199
Finding your data • Remember data is like water, it is hard to find the leak. • Automated software can help find data • Agent based • Host/server based • Stand alone • Maybe hold a spring cleaning day • Shred paper, remove files, know what you have
2. Compartmentalization • Assume the attacker is acting as an insider • You need to control who has access to what data. • Network based • Host/server based • Data source based • The role of authentication
Network based • Typically uses technology to enforce internal compartmentalization • Internal FW, VLANs, VPN • Monitor internal network access • Worry about wireless
Host/server based • Know what data is stored on which host • Agent software • Control access to sever shares • Authentication based • Limit access to only people that need to know • Beware of host to host authentication
