1 / 18

Confidentiality

Confidentiality. (slides courtesy of Danny Lungstrom and Senthil Somasundaram). Confidentiality. Secure. Integrity. Availability. CIA Triad. Ref: Security In Computing - Charles Pfleeger. Threats to Confidentiality. Access to confidential information by any unauthorized person

Download Presentation

Confidentiality

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Confidentiality (slides courtesy of Danny Lungstrom and Senthil Somasundaram)

  2. Confidentiality Secure Integrity Availability CIA Triad Ref: Security In Computing - Charles Pfleeger

  3. Threats to Confidentiality • Access to confidential information by any unauthorized person • Intercepted data transfers • Physical loss of data • Privileged access of confidential information by employees • Social engineered methods to gain confidential information • Unauthorized access to physical records • Transfer of confidential information to unauthorized third parties • Compromised machine where attacker is able to access data thought to be secure

  4. Confidentiality Agreements • Strict access controls are crucial to protecting the confidential information • Those who should have access to the confidential information should be clearly defined • These people must sign a very clear confidentiality agreement • Should understand importance of keeping the information private

  5. Financial Importance • According to Computer Security Institute's 6th “Computer Crime and Security Survey” • “the most serious financial losses occurred through theft of proprietary information” • 34 respondents reported losses of $151,230,100 • $4.5 million per company in 1 year

  6. Trade Secrets • No registration/approval or standard procedure • Quick and easy • Limited protection • Not protected against reverse engineering or obtaining the secret by “honest” means

  7. Trade Secrets (2) • Why trade secrets? • How to protect • Enforce confidentiality agreements • Label all information as “Confidential” for the courts • How long do trade secrets remain secret? • Average is 4 to 5 years (decreasing)

  8. Best Kept Trade Secrets • Coca-cola • Coca-Cola decided to keep its formula secret, decades ago! • Only known to a few people within the company • Stored in the vault of a bank in Atlanta • The few that know the formula have signed very explicit confidentiality agreements • Rumor has it, those that know the formula are not allowed to travel together • If Coca-cola instead patented the syrup formula, everyone could be making it today • KFC

  9. Phishing Scams • Tricking people into providing malicious users with their private/financial information • Financial losses to consumers: • $500 million to $2.4 billion per year depending on source • 15 percent of people that have visited a spoofed website have parted with private/personal data, much of the time including credit card, checking account, and social security numbers

  10. Date: Tue, 20 Sep 2005 03:06:03 -0700 (PDT)From: Countrywide countrywide@email.countrywide.comTo: tjs@cert.orgSubject: Important Customer Correspondence [Image: "height="] [Image: "Countrywide - Full Speectrum Lending Division"] [Image: "1-866-227-4118"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "If you could use some extra cash, Countrywide could make it easy."] [Image: "Click Here to Get Started"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "height="] Dear Timothy, We can help customers get cash from the available equity they've built up in their homes by refinancing their mortgages ? and with the trend in rising home values, we estimate your home's equity may have increased to as much as $43,867.00. (much more…) Phone number appears legit, current mortgage holder Note typographical errors (Speectrum, empty images, etc.) Big payoff offered Closer look: embedded domains doesn’t match from domain(m0.net, r.delivery.net, not countrywide.com, all same ISP (Digital Impact)) Phishing example?

  11. Legal Requirements • HIPAA • Gramm-Leach Bliley • FERPA • Confidentiality/Non-disclosure Agreements

  12. Giant Eagle Example • Giant Eagle's Loyalty Program • Nearly 4 million active users in 2005 • User's purchases at both the grocery store and gas station are knowingly monitored • Can even link the card to fuel perks, enable check cashing and video rental service • Also use card at 4,000 hotels, Avis, Hertz, Alamo, numerous local retailers, sporting events, museums, zoos, ballets, operas, etc.

  13. Giant Eagle (2) • From the privacy policy: • Giant Eagle does not share your personal information or purchase information with anyone except: • As necessary to enable us to offer you savings on products or services; or • As necessary to complete a transaction initiated by you through the use of your card;

  14. Writing Policies • Ask numerous questions before beginning • What information is confidential? • Who should be allowed to access this information? • How long is it to remain confidential? • What type of security policy is needed? • What level of confidentiality is necessary for the given organization?

  15. Chinese Wall Policy • Conflicts of interest • Person in one company having access to confidential information in a competing company • Based on three levels for abstract groups • Objects • Company Groups • Conflict Classes • Company groups with competing interests

  16. Chinese Wall Policy (2) • Access control policy • Individual may access any information, given that (s)he has never accessed any information from another company in the same conflict class • So, once individual has accessed any object in a given conflict group, they are from then on restricted to only that company group within the conflict group, the rest are off-limits

  17. Writing the Policy • Contents should include: • Obligation of confidentiality • Restrictions on the use of confidential information • Limitations on access to the confidential information • Explicit notification as to what is confidential

  18. Implementing Policy • Host lockdown • Database lockdown • Encryption • Backup controls • Email • Network lockdown • Device controls • Personnel controls

More Related