180 likes | 455 Views
Confidentiality. (slides courtesy of Danny Lungstrom and Senthil Somasundaram). Confidentiality. Secure. Integrity. Availability. CIA Triad. Ref: Security In Computing - Charles Pfleeger. Threats to Confidentiality. Access to confidential information by any unauthorized person
E N D
Confidentiality (slides courtesy of Danny Lungstrom and Senthil Somasundaram)
Confidentiality Secure Integrity Availability CIA Triad Ref: Security In Computing - Charles Pfleeger
Threats to Confidentiality • Access to confidential information by any unauthorized person • Intercepted data transfers • Physical loss of data • Privileged access of confidential information by employees • Social engineered methods to gain confidential information • Unauthorized access to physical records • Transfer of confidential information to unauthorized third parties • Compromised machine where attacker is able to access data thought to be secure
Confidentiality Agreements • Strict access controls are crucial to protecting the confidential information • Those who should have access to the confidential information should be clearly defined • These people must sign a very clear confidentiality agreement • Should understand importance of keeping the information private
Financial Importance • According to Computer Security Institute's 6th “Computer Crime and Security Survey” • “the most serious financial losses occurred through theft of proprietary information” • 34 respondents reported losses of $151,230,100 • $4.5 million per company in 1 year
Trade Secrets • No registration/approval or standard procedure • Quick and easy • Limited protection • Not protected against reverse engineering or obtaining the secret by “honest” means
Trade Secrets (2) • Why trade secrets? • How to protect • Enforce confidentiality agreements • Label all information as “Confidential” for the courts • How long do trade secrets remain secret? • Average is 4 to 5 years (decreasing)
Best Kept Trade Secrets • Coca-cola • Coca-Cola decided to keep its formula secret, decades ago! • Only known to a few people within the company • Stored in the vault of a bank in Atlanta • The few that know the formula have signed very explicit confidentiality agreements • Rumor has it, those that know the formula are not allowed to travel together • If Coca-cola instead patented the syrup formula, everyone could be making it today • KFC
Phishing Scams • Tricking people into providing malicious users with their private/financial information • Financial losses to consumers: • $500 million to $2.4 billion per year depending on source • 15 percent of people that have visited a spoofed website have parted with private/personal data, much of the time including credit card, checking account, and social security numbers
Date: Tue, 20 Sep 2005 03:06:03 -0700 (PDT)From: Countrywide countrywide@email.countrywide.comTo: tjs@cert.orgSubject: Important Customer Correspondence [Image: "height="] [Image: "Countrywide - Full Speectrum Lending Division"] [Image: "1-866-227-4118"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "If you could use some extra cash, Countrywide could make it easy."] [Image: "Click Here to Get Started"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "height="] Dear Timothy, We can help customers get cash from the available equity they've built up in their homes by refinancing their mortgages ? and with the trend in rising home values, we estimate your home's equity may have increased to as much as $43,867.00. (much more…) Phone number appears legit, current mortgage holder Note typographical errors (Speectrum, empty images, etc.) Big payoff offered Closer look: embedded domains doesn’t match from domain(m0.net, r.delivery.net, not countrywide.com, all same ISP (Digital Impact)) Phishing example?
Legal Requirements • HIPAA • Gramm-Leach Bliley • FERPA • Confidentiality/Non-disclosure Agreements
Giant Eagle Example • Giant Eagle's Loyalty Program • Nearly 4 million active users in 2005 • User's purchases at both the grocery store and gas station are knowingly monitored • Can even link the card to fuel perks, enable check cashing and video rental service • Also use card at 4,000 hotels, Avis, Hertz, Alamo, numerous local retailers, sporting events, museums, zoos, ballets, operas, etc.
Giant Eagle (2) • From the privacy policy: • Giant Eagle does not share your personal information or purchase information with anyone except: • As necessary to enable us to offer you savings on products or services; or • As necessary to complete a transaction initiated by you through the use of your card;
Writing Policies • Ask numerous questions before beginning • What information is confidential? • Who should be allowed to access this information? • How long is it to remain confidential? • What type of security policy is needed? • What level of confidentiality is necessary for the given organization?
Chinese Wall Policy • Conflicts of interest • Person in one company having access to confidential information in a competing company • Based on three levels for abstract groups • Objects • Company Groups • Conflict Classes • Company groups with competing interests
Chinese Wall Policy (2) • Access control policy • Individual may access any information, given that (s)he has never accessed any information from another company in the same conflict class • So, once individual has accessed any object in a given conflict group, they are from then on restricted to only that company group within the conflict group, the rest are off-limits
Writing the Policy • Contents should include: • Obligation of confidentiality • Restrictions on the use of confidential information • Limitations on access to the confidential information • Explicit notification as to what is confidential
Implementing Policy • Host lockdown • Database lockdown • Encryption • Backup controls • Email • Network lockdown • Device controls • Personnel controls