1 / 85

Confidentiality

Confidentiality. Information Assurance Policy (95-803) Danny Lungstrom Senthil Somasundaram 03/27/2006. Overview of Security. Goals of IT Security – CIA Triad Confidentiality Integrity Availability. Confidentiality. Secure. Integrity. Availability. CIA Triad.

latoya
Download Presentation

Confidentiality

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Confidentiality Information Assurance Policy(95-803) Danny Lungstrom Senthil Somasundaram 03/27/2006

  2. Overview of Security • Goals of IT Security – CIA Triad • Confidentiality • Integrity • Availability

  3. Confidentiality Secure Integrity Availability CIA Triad Ref: Security In Computing - Charles Pfleeger

  4. Confidentiality Defined • Confidentiality ensures that computer-related assets are accessed only by authorized parties. That is, only those who should have access to something will actually get that access. Access means not only reading but includes viewing, printing (or) simply knowing that a particular asset exists. Also known sometime as secrecy (or) privacy. Ref: Security In Computing - Charles Pfleeger

  5. Risks • Types Of Risk • Legal Risks • Fines, liability lawsuits, criminal prosecution • Financial Risks • Numerous costs involved including losing customer's trust, legal fees, fines • Reputational Risks • Loss of trust • Operational Risks • Failed internal processes – insider trading, unethical practices, etc. • Strategic Risks • Financial institutions future, mergers, etc.

  6. Threats to Confidentiality • Access to confidential information by any unauthorized person • Intercepted data transfers • Physical loss of data • Privileged access of confidential information by employees • Social engineered methods to gain confidential information • Unauthorized access to physical records • Transfer of confidential information to unauthorized third parties • Compromised machine where attacker is able to access data thought to be secure

  7. Threats in the Case Study • Scheduling information regarding national level speakers/sensitive private meetings highly restricted • Concerns over unauthorized access as a result of leaks – includes leaks to press as well as opposition/protest groups • Concerns over “leaks” via IT from opposition groups within the national organization • Loss of trust in decisions made at event • Can include public exposure of sensitive data • Loss of privacy, yielding decreased impact on event, decreased participation with organization • Individuals of prominence can lose privacy – can include a physical security risk (schedules, timetables, etc.) • Such a loss may not directly impact event – impact delayed • Can result in loss of Sponsorship, financial support, public perception of competence

  8. Threats from Case Study • Common theme: leaking private data • Strict access controls are crucial to protecting the confidential information • Those who should have access to the confidential information should be clearly defined • These people must sign a very clear confidentiality agreement • Should understand importance of keeping the information private

  9. Financial Importance • Financial losses due to loss of trade secrets • According to Computer Security Institute's 6th “Computer Crime and Security Survey” • “the most serious financial losses occurred through theft of proprietary information” • 34 respondents reported losses of $151,230,100 • That's $4.5 million per company in 1 year!!!

  10. Trade Secrets • As name implies, must be kept secret • No registration/approval or standard procedure • Somewhat protected if company takes measures to ensure its privacy • Quick and easy • No formal process, just ensure only those that should know about it do • Limited protection • Not protected against reverse engineering or obtaining the secret by “honest” means

  11. Trade Secrets (2) • Why trade secrets? • Filing for a patent makes the information public • Quick • How to protect • Enforce confidentiality agreements • Label all information as “Confidential” for the courts • How long do trade secrets remain secret? • Average is 4 to 5 years • Expected to decrease in the future with advancements in reverse engineering processes

  12. Best Kept Trade Secrets • Coca-cola • Coca-Cola decided to keep its formula secret, decades ago! • Only known to a few people within the company • Stored in the vault of a bank in Atlanta • The few that know the formula have signed very explicit confidentiality agreements • Rumor has it, those that know the formula are not allowed to travel together • If Coca-cola instead patented the syrup formula, everyone could be making it today • KFC's 11 secret herbs and spices

  13. Phishing Scams • Tricking people into providing malicious users with their private/financial information • Financial losses to consumers: • $500 million to $2.4 billion per year depending on source • 15 percent of people that have visited a spoofed website have parted with private/personal data, much of the time including credit card, checking account, and social security numbers

  14. Phising Example

  15. Help Protect Yourself • Don't use links from emails for sites where personal/financial information is to be disclosed • Browse to the website yourself • Use spam filtering to avoid much of the mess • Check for HTTPS and a padlock on bottom bar • Don't solely rely on • Educate yourself about the risks! • Check your credit report periodically

  16. Legal Requirements • HIPAA • Gramm-Leach Bliley • FERPA • Confidentiality/Non-disclosure Agreements • ISP/Google subpoenaed examples

  17. HIPAA • Numerous regulations on access to a person's health information • Ensure patient access to records • Allow them to modify inaccuracies • Written consent required to disclose records • Ensure not used for non-medical purposes (job screening, loans, insurance) • Proper employee training on respecting confidentiality of patients

  18. What HIPAA Doesn't Do • Does not restrict what info can be collected, person just has to be informed • Doesn't require extremely high levels of privacy during medical visits, just reasonable • Some sort of barrier (curtains) • No public conversations • Secure documents • No post-it note passwords

  19. Gramm-Leach Bliley Act • Protection for consumer's personal financial information • All financial institutions must have a policy in place that identifies how information will be protected • Must also identify foreseeable threats in security and data integrity

  20. Gramm-Leach Bliley Act (2) • Financial Privacy rule • Institution must inform individuals as to any information collected, the purpose of the collection, and what is going to be done with it • The individual may refuse • Safeguards rule • Security policy portion of act, as described earlier • Pretexting Protection (social-engineering) • Institutions must take measures to protect against social-engineering, phishing, etc.

  21. FERPA • Family Educational Rights and Privacy Act • Instructor regulations • Cannot provide a child's grade to anyone other than child/parent (no websites) • Cannot share info on child's behavior at school except to parents • Cannot share info on child's homelife • Child's instructor must do the grading, not a volunteer or someone else

  22. ISPs Subpoenaed • What rights do ISP subscribers have to confidentiality? • ISPs being forced to turn over names • Verizon vs. RIAA • Verizon won the appeal • User vs. Comcast • Comcast gets sued from both ends • RIAA vs. Grandma • 83 year old Gertrude – shared over over 700 rock/rap songs, but... • RIAA decides to drop case... • Blames time it takes to get user info

  23. DoJ vs. User Privacy • COPA (Children's Online Protection Act) • DoJ subpeonaed nearly all major ISPs and search engines • Search engines required to turn over searches • Google says this could link back to specific users • demanded production of "[a]ll queries that have been entered on [Google's] search engine between June 1, 2005 and July 31, 2005"

  24. Google vs. DoJ • Is Google only pretending to care? • Only fighting the subpoenas in order to better reputation with the public? • “Google's on our side” • But, they mine an enormous amount of data on anyone that uses any of their services • Protecting their own trade secrets

  25. Bigger Problem • These enormous databases exist • If anyone gets ahold of any portion of these databases, they have an unimaginable wealth of private information on an endless amount of people • ChoicePoint forced to pay $15 million by FTC • 163,000 consumer's information stolen from their database • Names, SSNs, credit history, employment history, etc. • Led to at least 800 cases of identity theft • http://www.privacyrights.org/ar/ChronDataBreaches.htm

  26. Giant Eagle Example • Giant Eagle's Loyalty Program • Nearly 4 million active users in 2005 • User's purchases at both the grocery store and gas station are knowingly monitored, but still 4 million think the invasion of privacy is worth the savings • Can even link the card to fuel perks, enable check cashing and video rental service! • Also use card at 4,000 hotels, Avis, Hertz, Alamo, numerous local retailers, sporting events, museums, zoos, ballets, operas, etc. • Basically as much info as you're willing to give them they'll take... and use for what else?

  27. Giant Eagle (2) • From the privacy policy: • Giant Eagle does not share your personal information or purchase information with anyone except: • As necessary to enable us to offer you savings on products or services; or • As necessary to complete a transaction initiated by you through the use of your card;

  28. Writing Policies • Ask numerous questions before beginning • What information is confidential? • The broader the definition the better (for the discloser) • Who should be allowed to access this information? • Create a list and have them sign confidentiality agreements • How long is it to remain confidential? • Longer the time frame, the harder to keep confidential • What type of security policy is needed? • What sort of organization is it for? • What level of confidentiality is necessary for the given organization?

  29. Further Risk Assessment • Basic questions: • Who, what, when, where, why, how? • Who? • Who should have access, who shouldn't • Ensure they must properly authenticate in order to access information, so that “who” is ensured • non-repudiation

  30. Further Risk Assessment (2) • What? • What needs to be kept confidential? • When? • How long must it remain secure? • Where? • Where is this confidential data going to be safely stored? • File server, workstation, removable media, laptop, etc.

  31. Further Risk Assessment (3) • Why? • Law • FERPA, HIPAA, etc. • Specified in end-user agreement • User trust • How? • What means are to be used to ensure it's protection? • Access controls, encryption, physical barriers, etc.

  32. Types of Security Policies • Military Security (governmental) Policy • Commercial Security Policies • Clark-Wilson Commercial Security Policy (Integrity) • Separation of Duty (Integrity) • Chinese Wall Security Policy (Confidentiality)

  33. Military/Government Security Policies • Goal: Protect private information • Uses ranking system on levels of confidentiality • Need-to-know rule • Compartmentalized • Combination of (rank; compartment) is its classification • Clearances are required for different levels of classification • Access based on dominance • Combination of sensitivity and need-to-know requirements

  34. Most Sensitive Top Secret Secret Confidential Top Secret Restricted Unclassified Secret Confidential Restricted Unclassified Least Sensitive Information Sensitivity Ranking Compartment 1 Compartment 2 Compartment 3 Ref: Security In Computing - Charles Pfleeger

  35. Commercial Security Policies • Less rigid and hierarchical • No universal hierarchy • Varying degree of sensitivity • E.g. Public, Proprietary and Internal • No formal concept of clearance • Access not based on dominance, as there are no clearances

  36. Chinese Wall Policy • Conflicts of interest • Effects those in legal, medical, investment, accounting firms • Person in one company having access to confidential information in a competing company • Based on three levels for abstract groups • Objects • Files • Company Groups • Collection of files • Conflict Classes • Company groups with competing interests

  37. Chinese Wall Policy (2) • Access control policy • Individual may access any information, given that (s)he has never accessed any information from another company in the same conflict class • So, once individual has accessed any object in a given conflict group, they are from then on restricted to only that company group within the conflict group, the rest are off-limits

  38. Company A Company B Company C Company D Company E Company F Company C Company D Company E Company A Company B Company F Chinese Wall Illustrated Initially After choosing B and D Ref: Security In Computing - Charles Pfleeger

  39. Writing the CA • After considering these various questions, it is time to actually write the policy • Contents should include: • Obligation of confidentiality • Restrictions on the use of confidential information • Limitations on access to the confidential information • Explicit notification as to what is confidential • These things should all be considered when writing the policy for the case study

  40. Access controls • Locking down an OS • Principle of Least Privilege • Password Management • User policies • what if someone calls and needs password • anti-social engineering

  41. OS Lockdown • Step 1 • Identify protection needed for various files/objs • Separate information/data into categories and decide who needs what type of access to it • Distinguish between local and remote access • Step 2 • Create associated user groups • Groups derived from first step above • Simply create these groups and assign appropriate members

  42. OS Lockdown (2) • Step 3 • Setup access controls • General practices • Deny as much as possible • Disable write/modify access to any executables • Restrict access to OS source/configuration files to admin • Only allow appends to log files • Analyze access control inheritance • UNIX/Linux specific • No world-writable files • Mount file system as read-only • Disable suid • Make kernel files immutable

  43. OS Lockdown (3) • Step 4 • Install/configure encryption capabilities • Depending on how confidential information is, either use OS encryption or add 3rd party software to do the job • Necessary if OS access controls are not overly configurable • Step 5 • Continue to monitor! • Make sure things are as expected Source: CERT.org

  44. Database Access • Databases often house an enormous amount of desired data about people (CC#s, SSNs, etc.) • Must pay special attention to access • Defense in depth • Only allow specific users access • Limit these users as much as possible • Encrypt information in database • Encrypt information in transfer • IPSec, SSL, TLS • Patch!

  45. Password Policies • Confidential information is protected by some means of authentication, often passwords • How confidential the password protected information is depends on the strength of the password used • Tips: • Not dictionary based • More than 8 characters (the more the merrier) • Combination of letters, numbers, and special chars • Not related to user • Not related to login name • Don't reuse the same password for all accounts!

  46. Encryption for Confidentiality • When to use • Anytime you wouldn't want anyone/everyone to see what you're doing • Financial transactions • Personal e-mails • Anything confidential • Various solutions • PGP, S/MIME, PKI, OpenVPN, SSH, SFTP, etc. • Drawbacks/difficulties • May not be allowed • Not always user friendly • Not what used to

  47. Regulated Encryption • Should their be more stringent guidelines for using various encryption techniques? • Many in gov't said yes after 9/11 and pushed for reform • Senator Judd Gregg pushed to require that the gov't be given the keys to decrypt everyone's messages if necessary • Much debate, as terrorist may encrypt messages, and not even NSA can decrypt (so they say) • Would this help? Would the terrorists use encryption methods that the gov't could decrypt and would they provide them with keys? Or is this just a privacy invasion for all non-terrorists?

  48. Email Policy • Popular encryption methods • PGP • Entrust • Hushmail • S/MIME • Should employees be allowed to encrypt messages at work? • May want to secure confidential business trade secrets or other work-related data • Would you want work related info sent out on a postcard? • May just want to email friends and not be monitored

More Related