200 likes | 316 Views
Privacy and Encryption in eGovernment. Dewey Landrum Technical Architect – CSO SLED West Sector CISSP August 11, 2008. Privacy Regulations. Health Insurance Portability and Accountability Act (HIPPA) Gramm-Leach-Bliley Act (GLBA) Texas Administrative Code
E N D
Privacy and Encryption in eGovernment Dewey Landrum Technical Architect – CSO SLED West Sector CISSP August 11, 2008
Privacy Regulations • Health Insurance Portability and Accountability Act (HIPPA) • Gramm-Leach-Bliley Act (GLBA) • Texas Administrative Code • TAC, Title 1, Part 10, Chapter 202 • Texas Public Information Act • Part III, Chapter 252 • Right to Access • Special Right to Access • SubChapter C - Information Excepted • Most Useful Source
Examples of Private Information • Personal Information • Litigation & Negotiations • Competition or Bidding Information • Location or Price of Property • Records that would interfere with prosecution • Student Records • Birth (75 years) & Death (25 years) Records • Audit Working Papers • Addresses, Telephone Numbers, Social Security Numbers, & Personal Family Information of state employees & peace officers • Photographs of law enforcement & security guards
Examples Continued • Certain email addresses • Crime Victim Information • Family Violence & Shelter work information • Information related to Computer Security Issues • Military Discharge Records (DD-214 – 75 years) • Many others not listed
The Confusion of Encryption • Encryption can be a very confusing topic • Various algorithms • DES, Triple DES, AES, BLOWFISH, etc. • Asymmetrical versus Symmetrical • Asymmetrical – usually two keys • One for everyone to encrypt to (public key) • One for just you to decrypt by (private key) • Symmetrical • One key used to decrypt and encrypt by • Different opinions on what and when to encrypt • Encrypt everything • Encrypt just what you need • Plus – it’s based on advanced math!
A Cornucopia of Standards • NIST SP 800-21 Guidelines for Implementing Cryptography in Federal Government • NIST SP 800-38C Block Cypher Modes of Operation: Authentication & Confidentiality • FIPS 180-2 Secure Hash Standards • FIPS 186-2 Digital Signature Standards • FIPS 192 Advanced Encryption Standard (AES) • Many other government based standards • FISMA • PCI • HIPPA • GLBA
Why Encrypt? • Encryption is used to keep sensitive information private • Military and Governments have used various forms of encryption for centuries • Only recently widely used by businesses and civilians • Encryption can be used to encrypt information in the following ways: • While information is being moved from one place to another (in transit) • While information is being processed • While information is being stored
What are all these algorithms? • DES, Triple DES, AES, etc. • As computing power becomes greater, various encryption standards become effectively weaker • DES was once so strong, the government asked that it be weakened so it could be broken if necessary • Triple DES is just DES run through the encryption/decryption process three times • AES (Advanced Encryption Standard) is the latest government standard • These are basically the mathematical formulas for encrypting and decrypting data
Asymmetrical Keys • A fancy word that basically means: • “I have two keys that aren’t the same. One key for encryption, one key for decryption.” • Asymmetrical – two keys that aren’t the same • Used so that many people can send information to one source without the senders being able to decrypt the information • They must have their own key if they are going to receive encrypted information. • Must deal with the problem of having to have the public key for everyone receiving information. Biggest issue is key distribution. • Takes more processing power because you may be encrypting to many keys at once.
Symmetrical Keys • A fancy word that basically means: • “I have one key to encrypt and decrypt by.” • Symmetrical – one key used for encryption and decryption • Typically used for small groups of people or for applications accessing the same data • Faster than Asymmetrical because there’s only one key • Everyone that is going to encrypt or decrypt must have the same key • How do you prevent the key from being distributed to unauthorized people? • How do you know the key isn’t being accessed by someone not authorized to access it? • What if the key gets corrupt or compromised? • How do I change the keys?
Differing Opinions on Encryption • There are two basic views on encrypting network traffic: • Encrypt everything from the client browser connection to the database • Encrypt only what needs to be encrypted until you get to a trusted environment
Encrypt Everything • Encrypt everything from the client browser connection to the database, including network traffic • Use SSL (Secure Socket Layer) to encrypt the connection to the web server so it can’t be intercepted over the Internet • Encrypt internal traffic (SSL or IPSEC) so it can’t be intercepted by either staff members or rogue users • Encrypt it in the database so if someone breaks in and steals the data, it is still encrypted
Problems with Encrypt Everything There are various issues with SSL browser compatibility • Older browsers may not support 128 bit encryption • Export laws – if you only support 128 bit encryption, you may not be able to support world wide commerce Encrypting internal traffic blocks the ability to monitor attacks • Most Intrusion Prevention/Detection Systems don’t support decryption of traffic for inspection - they are blind to encrypted attacks • Many of the better hacking tools now support SSL as an option - hackers chose this option to hide their attacks from Intrusion Prevention/ Detection systems • Host-based IPS can decrypt traffic for inspection, but is much more expensive to put on every host than deployment of a network-based sensor Database encryption works only if they are outside of the application and do not have access to the keys It’s much more expensive – disks, network bandwidth, processing time, etc.
Encrypt Only What You Need To • Encrypt only what is required to protect data • Use SSL (Secure Socket Layer) to encrypt the connection to the web server so it can’t be intercepted over the Internet and only when you are passing sensitive information • Encrypt internal traffic only when it is very sensitive information and you are in a mixed network environment • If you don’t trust your data center or internal staff, maybe you need new staff • Encrypt only the columns in the database that contain sensitive information
Problems with Encrypt What You Need To • SSL is still vulnerable to “Man-in-the Middle” attacks • Various versions of SSL have vulnerabilities like any other piece of software - must keep it updated • Must force connections to redirect to encryption • Web servers are frequently breached, which gives a “beach head” for sniffing internal traffic that is not encrypted • Staff members steal more data than hackers - encrypted internal traffic helps stop this • Database encryption can occur within the application or at the database • To only encrypt certain columns is more expensive (more code) • How do you know what to encrypt? • What about aggregated information? • Do you trust your DBA’s more than System Administrators?
Encryption Won’t Always Help • Many attacks are now conducted through the application • The application must have access to the data • Most attacks are successful because of improper input validation (they don’t properly check what the user is putting in the form) • Many attacks are successful because unnecessary services were running or certain services were not properly patched or configured • Allowing administrative services to be accessible from the Internet is also a common cause for breaches
Example – Rhode Island • The information was encrypted in the database and SSL was used for connections • Improper input validation let the hacker display files containing server user names and hashed passwords • Many tools are available to “unhash” the passwords • This type of issue is usually either a patch or configuration issue. • Most IPS systems will detect this type of attack if they can read the traffic. • An unprotected (outside of VPN access) SSH (Secure Shell) service was available from the Internet - the hacker just logged in with an account and password • The hacker spooled information from the database to a file • He was outside of the application, so the data was strongly encrypted • He had access to the keys, so he downloaded them • Since encryption methods are standard, he downloaded an encryption kit for the type of encryption used and decrypted the data • Proper monitoring would have caught access to the keys
How do you protect your information? • A good foundation of policies and procedures • Follow established standards • FISMA • PCI • GBLA • DO NOT make up your own encryption standard • Perform proper monitoring • Encrypt what is necessary • Perform audits to ensure processes work and are being followed • Perform testing • Have a third-party evaluate your program