330 likes | 456 Views
Moving Towards Privacy-aware Security. James R. Elste , CISSP, CISM, CGEIT. Security Strategist. Privacy by Design Research Lab, March 23, 2010. Credentials. EDUCATION BS in Business Administration, University of Texas at Dallas
E N D
Moving Towards Privacy-aware Security James R. Elste, CISSP, CISM, CGEIT Security Strategist Privacy by Design Research Lab, March 23, 2010
Credentials EDUCATION • BS in Business Administration, University of Texas at Dallas • MS in Information Assurance, Norwich University (NSA Center of Academic Excellence) • Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) • Certified in the Governance of Enterprise Information Technology (CGEIT) EXPERIENCE • 20+ years of professional IT experience, 10+ years of specialization in Information Security • Former Director, IS Security & Internal Controls, International Game Technology • Former Chief Information Security Officer, State of Nevada • Former Chief Security Officer, Commonwealth of Massachusetts, Health & Human Services • Information Security Consulting Background • I.B.M., Security & Privacy Services • Ernst & Young, LLP, Information Security Services • Independent Security Consultant
Elste’s Security Syllogism Information has value We protect things of value Therefore: We must protect information
Elste’s Proof NAME Social Security Number Drivers License Number Credit Card Number
Security vs. Privacy PRIVACY WHAT (WHY) information needs to be protected SECURITY HOW to protect information
Bill Boni CISO, Motorola “Understand the business, understand what makes it successful, identify the factors that can put that success at risk, and then find ways of managing that risk through technical, operational or procedural safeguards”
The Changing Threat Landscape Data Breaches
Global Intelligence NetworkIdentifies more threats, takes action faster & minimizes impact Calgary, Alberta Dublin, Ireland Reading, England Tokyo, Japan Alexandria, VA San Francisco, CA Chengdu, China Mountain View, CA Austin, TX Culver City, CA Taipei, Taiwan Chennai, India Pune, India Sydney, AU Worldwide Coverage Global Scope and Scale 24x7 Event Logging RapidDetection • Attack Activity • 240,000 sensors • 200+ countries • Malware Intelligence • 130M client, server, gateways monitored • Global coverage • Vulnerabilities • 32,000+ vulnerabilities • 11,000 vendors • 72,000 technologies • Spam/Phishing • 2.5M decoy accounts • 8B+ email messages/day • 1B+ web requests/day Information Protection Threat Triggered Actions Preemptive Security Alerts
Internet Security Threat Report XIVOverarching Themes • Attackers are increasingly targeting end users by compromising high-traffic, trusted websites. • Attackers are moving their operations to regions with emerging Internet infrastructures and, in some instances, developing and maintaining their own service provisioning. • Cross-functional industry cooperation in the security community is becoming imperative.
Internet Security Threat Report XIVData Breach Trends Data Breaches Identities Exposed
Threat Agents Well-meaning Insiders Hackers and Cyber-Criminals Malicious Insiders
Data Breach #1: Lost LaptopAn Avoidable Breach • According to Ponemon Institute, the average cost of a lost or stolen laptop PC is more than $49000. • In July 2006, a U.S. government-owned laptop with thousands of Florida driver’s license records was stolen from a vehicle in Florida while an official ate lunch inside a restaurant. • Stolen or lost laptops are the most common type of data breach. Companies report the losses at a much higher rate than any other type of data breach. However, there’s a public misperception that these missing machines translate into identity theft. Most laptops are “fenced” for their hardware value, not for the confidential information • Solution = Encryption + DLP + Asset Management + Regular Backups Well meaning insiders
Data Breach #2Data Spillage CyberCriminals US GovernmentAgency SETUP • Security team detected data theft incident. Knew they were in trouble • Crucial missing information: where did the hackers gain access to the data? • Called Symantec to help them answer this question WHAT WE DID • Symantec found the original target of the hacker’s efforts • A software development team had copies of employee data RESULT • Internal data spill event was identified and addressed • Symantec instrumental in the cleanup vs. vs. Insiders and Hackers Insiders and Hackers Well-meaning Insider
Understanding the Exposures Social Media Security Risks
Four Epochs of IT • “Social Media” • Networks • User-managed • Data Loss Prevention • Web-enabled • Networks • Thin-Client • GatewaySecurity • Monitoring • Distributed • Networks • Thick-Client • Anti-Virus • Data • Center • Terminals • PhysicalSecurity 0 D/C 1980s 1990s 2000s
Social Media Security RisksOverview • Dr. Mark Drapeau and Dr. Linton Wells at the National Defense University (NDU) define social media as social software, “applications that inherently connect people and information in spontaneous, interactive ways.” • As of 2008, Facebook had 132 million users, and Myspace 117 million users [Reisinger, Don. “10 Ways IT Managers Can Deal with Social Media.” eWeek. July 17, 2009 <http://www.eweek.com/c/a/Security/10-Ways-IT-Managers-Can-Deal-with-Social- Media>] • Metcalf’s Law: Total possible connections = N2 • Four Use Cases: • Inward Sharing – internal collaboration sites • Outward Sharing – communication with external entities or sites • Inbound Sharing – online polling or “crowdsharing” • Outbound Sharing – participation in public social networking sites[Guidelines for Secure Use of Social Media by Federal Departments and Agencies – Sept 2009]
Social Media Security RisksExternal Exposure Risks • Inappropriately externalizing confidential/sensitive information • Personal/Professional Separation • Account Hijacking • Privacy Issues and Identify Theft • Harassment and Cyber-bullying • Information Obsolescence • Information Harvesting • Evolving exposures from Location-aware Mobile Social Networks (LAMSN)
Social Media Security RisksInternal Compromise Risks • Malware and Targeted Malware • Spearphishing • 2006 MySpace phishing attack compromised 34,000 usernames and passwords • Web Application Vulnerabilities • Open Web Application Security Project (OWASP) Top Ten • XSS • New attacks & expolits are emerging on a regular basis
Social Media Security RisksMalware example: Koobface • The Koobface worm and its associated botnet have gained notoriety in security circles for its longevity and history of targeting social networking sites. First surfacing in 2008 within MySpace and Facebook, the worm resurfaced in early 2009, this time targeting Twitter users. • By using Phishing techniques, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. • 11/10/2009 - As part of a new Koobface attack, links to Google Reader URLs controlled by cyber-criminals are being spammed by Koobface onto social network sites, including Facebook and MySpace. The hundreds of Google accounts involved host a page with a fake YouTube video. Attempts to view this supposed video expose Windows users to infection by Koobface. • Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers. • Anagram of FACEBOOK
Social Media Security RisksMitigation Strategies - Technical • Shift to an information-centric protection paradigm, rather than a system-centric protection paradigm • Data Loss Prevention • Data Classification & Labeling Guidelines • Digital Rights Management • Enhanced Endpoint Protection • Anti-malware • Endpoint Firewall • Intrusion Prevention • Vulnerability and Patch Management
Social Media Security RisksMitigation Strategies – Non-Technical • Update Policies to reflect the Appropriate Use of Social Networks • Enhance Security Awareness Training • Develop an enforceable process for information review and disclosure authorization
Data Loss Prevention Three Crucial Questions Where is your confidential data? How is it being used? How best to prevent its loss? DISCOVER MONITOR PROTECT DATA LOSS PREVENTION (DLP)
Data Loss PreventionKey Functions DISCOVER MONITOR PROTECT • Find data wherever it is stored • Create inventory of sensitive data • Manage data clean up • Understand how data is being used • Understand content and context • Gain enterprise-wide visibility • Gain visibility into policy violations • Proactively secure data • Prevent confidential data loss MANAGE • Remediate and report on incidents • Define unified policy across enterprise • Detect content accurately
Data Loss PreventionHow it Works MONITOR DISCOVER PROTECT 2 3 4 • Identify scan targets • Run scan to find sensitive data on network & endpoint data • Inspect data being sent • Monitor network & endpoint events • Block, remove or encrypt • Quarantine or copy files • Notify employee & manager MANAGE 5 • Remediate and report on risk reduction 1 • Enable or customize policy templates MANAGE
I. Content-Aware Technical Controls Discovery 3 Send incident and asset info CONTROL COMPLIANCE SUITE DLP MANAGEMENTPLATFORM 4 Scans assets to assess server compliance 2 Inspect Content and Record Incidents ENFORCE PLATFORM CCS DISCOVER 1 Scan and Retrieve Data STORAGEDLP Servers with PCI data • Key Benefits: • Align technical controls and risk policies with the content living on assets • Risk reduction and compliance that addresses the most sensitive information
II. Integrated Compliance Reporting 1 Send incident and asset info CONTROL COMPLIANCE SUITE MANAGEMENTPLATFORM ENFORCE PLATFORM Map incidents to regulations & policies 2 CCS DISCOVER STORAGEDLP 4 Consolidate info on both DLP policy violations and compliance data in dashboard views Measure and report on compliance to regulatory requirements 3
Technology Benefits vs. Privacy Consequences • Electronic Medical Records • Effective treatment (+) • Embarrassment (-) • Discrimination (-) • Electronic Voting • Accuracy and accountability (no hanging chads) (+) • Discrimination or Recrimination (-) • Personally Identifiable Information & Identity Theft • Not a long-term issue • Significantly reduced by removing the profit motive • Eliminated by Identity “Chains of Trust” & “Indelible Identities”
Final thoughts • “Security” is essential to facilitate and preserve “privacy” • There are numerous ethical issues that must be addressed as we continue to evolve our information society. Some that transcend technology and some that are manifest as a result of technology http://trendsmap.com/
George Orwell 1984 “But it was all right, everything was all right, the struggle was finished. He had won the victory over himself. He loved Big Brother.”
James R. Elste, CISSP, CISM, CGEIT james_elste@symantec.com