confidentiality

85
Confidentiality Information Assurance Policy (95-803) Danny Lungstrom Senthil Somasundaram 03/27/2006

Upload: latoya

Post on 09-Jan-2016

49 views

Category:

Documents


1 download

DESCRIPTION

Confidentiality. Information Assurance Policy (95-803) Danny Lungstrom Senthil Somasundaram 03/27/2006. Overview of Security. Goals of IT Security – CIA Triad Confidentiality Integrity Availability. Confidentiality. Secure. Integrity. Availability. CIA Triad. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Confidentiality

Confidentiality

Information Assurance Policy(95-803)

Danny LungstromSenthil Somasundaram

03/27/2006

Page 2: Confidentiality

Overview of Security

Goals of IT Security – CIA Triad

Confidentiality

Integrity

Availability

Page 3: Confidentiality

CIA Triad

Confidentiality

AvailabilityIntegrity

Secure

Ref: Security In Computing - Charles Pfleeger

Page 4: Confidentiality

Confidentiality Defined

Confidentiality ensures that computer-related assets are accessed only by authorized parties. That is, only those who should have access to something will actually get that access. Access means not only reading but includes viewing, printing (or) simply knowing that a particular asset exists. Also known sometime as secrecy (or) privacy.

Ref: Security In Computing - Charles Pfleeger

Page 5: Confidentiality

Risks

Types Of Risk Legal Risks

Fines, liability lawsuits, criminal prosecution

Financial Risks Numerous costs involved including losing customer's

trust, legal fees, fines

Reputational Risks Loss of trust

Operational Risks Failed internal processes – insider trading, unethical

practices, etc.

Strategic Risks Financial institutions future, mergers, etc.

Page 6: Confidentiality

Threats to Confidentiality

Access to confidential information by any unauthorized person Intercepted data transfers Physical loss of data Privileged access of confidential information by employees Social engineered methods to gain confidential information Unauthorized access to physical records Transfer of confidential information to unauthorized third parties Compromised machine where attacker is able to access data thought to be

secure

Page 7: Confidentiality

Threats in the Case Study

Scheduling information regarding national level speakers/sensitive private meetings highly restricted

• Concerns over unauthorized access as a result of leaks – includes leaks to press as well as opposition/protest groups

• Concerns over “leaks” via IT from opposition groups within the national organization

• Loss of trust in decisions made at event– Can include public exposure of sensitive data

• Loss of privacy, yielding decreased impact on event, decreased participation with organization

– Individuals of prominence can lose privacy – can include a physical security risk (schedules, timetables, etc.)

– Such a loss may not directly impact event – impact delayed– Can result in loss of Sponsorship, financial support, public perception of competence

Page 8: Confidentiality

Threats from Case Study

Common theme: leaking private data Strict access controls are crucial to protecting

the confidential information Those who should have access to the

confidential information should be clearly defined These people must sign a very clear confidentiality

agreement Should understand importance of keeping the

information private

Page 9: Confidentiality

Financial Importance

Financial losses due to loss of trade secrets According to Computer Security Institute's 6th

“Computer Crime and Security Survey” “the most serious financial losses occurred through theft

of proprietary information” 34 respondents reported losses

of $151,230,100 That's $4.5 million per company in 1 year!!!

Page 10: Confidentiality

Trade Secrets

As name implies, must be kept secret No registration/approval or standard procedure Somewhat protected if company takes measures to

ensure its privacy Quick and easy

No formal process, just ensure only those that should know about it do

Limited protection Not protected against reverse engineering or

obtaining the secret by “honest” means

Page 11: Confidentiality

Trade Secrets (2)

Why trade secrets? Filing for a patent makes the information public Quick

How to protect Enforce confidentiality agreements Label all information as “Confidential” for the courts

How long do trade secrets remain secret? Average is 4 to 5 years Expected to decrease in the future with

advancements in reverse engineering processes

Page 12: Confidentiality

Best Kept Trade Secrets

Coca-cola Coca-Cola decided to keep its formula secret, decades ago! Only known to a few people within the company Stored in the vault of a bank in Atlanta The few that know the formula have signed very explicit

confidentiality agreements Rumor has it, those that know the formula are not allowed to

travel together If Coca-cola instead patented the syrup formula, everyone could

be making it today

KFC's 11 secret herbs and spices

Page 13: Confidentiality

Phishing Scams

Tricking people into providing malicious users with their private/financial information

Financial losses to consumers: $500 million to $2.4 billion per year

depending on source 15 percent of people that have visited a

spoofed website have parted with private/personal data, much of the time including credit card, checking account, and social security numbers

Page 14: Confidentiality

Phising Example

Page 15: Confidentiality

Help Protect Yourself

Don't use links from emails for sites where personal/financial information is to be disclosed Browse to the website yourself

Use spam filtering to avoid much of the mess Check for HTTPS and a padlock on bottom bar

Don't solely rely on Educate yourself about the risks! Check your credit report periodically

Page 16: Confidentiality

Legal Requirements

HIPAA Gramm-Leach Bliley FERPA Confidentiality/Non-disclosure Agreements ISP/Google subpoenaed examples

Page 17: Confidentiality

HIPAA

Numerous regulations on access to a person's health information Ensure patient access to records

Allow them to modify inaccuracies Written consent required to disclose

records Ensure not used for non-medical

purposes (job screening, loans, insurance)

Proper employee training on respecting confidentiality of patients

Page 18: Confidentiality

What HIPAA Doesn't Do

Does not restrict what info can be collected, person just has to be informed

Doesn't require extremely high levels of privacy during medical visits, just reasonable Some sort of barrier (curtains) No public conversations Secure documents No post-it note passwords

Page 19: Confidentiality

Gramm-Leach Bliley Act

Protection for consumer's personal financial information All financial institutions must have a policy in place

that identifies how information will be protected Must also identify foreseeable threats in security

and data integrity

Page 20: Confidentiality

Gramm-Leach Bliley Act (2)

Financial Privacy rule Institution must inform individuals as to any

information collected, the purpose of the collection, and what is going to be done with it

The individual may refuse Safeguards rule

Security policy portion of act, as described earlier Pretexting Protection (social-engineering)

Institutions must take measures to protect against social-engineering, phishing, etc.

Page 21: Confidentiality

FERPA

Family Educational Rights and Privacy Act Instructor regulations

Cannot provide a child's grade to anyone other than child/parent (no websites)

Cannot share info on child's behavior at school except to parents

Cannot share info on child's homelife Child's instructor must do the grading, not a volunteer or

someone else

Page 22: Confidentiality

ISPs Subpoenaed

What rights do ISP subscribers have to confidentiality?

ISPs being forced to turn over names Verizon vs. RIAA

Verizon won the appeal User vs. Comcast

Comcast gets sued from both ends RIAA vs. Grandma

83 year old Gertrude – shared overover 700 rock/rap songs, but...

RIAA decides to drop case... Blames time it takes to get user info

Page 23: Confidentiality

DoJ vs. User Privacy

COPA (Children's Online Protection Act) DoJ subpeonaed nearly all major

ISPs and search engines Search engines required to turn

over searches Google says this could link back to

specific users demanded production of "[a]ll

queries that have been entered on [Google's] search engine between June 1, 2005 and July 31, 2005"

Page 24: Confidentiality

Google vs. DoJ

Is Google only pretending to care? Only fighting the subpoenas in order to better

reputation with the public? “Google's on our side” But, they mine an enormous amount of data on

anyone that uses any of their services Protecting their own trade secrets

Page 25: Confidentiality

Bigger Problem

These enormous databases exist If anyone gets ahold of any portion of these databases,

they have an unimaginable wealth of private information on an endless amount of people

ChoicePoint forced to pay $15 million by FTC 163,000 consumer's information stolen from their

database Names, SSNs, credit history, employment history, etc.

Led to at least 800 cases of identity theft http://www.privacyrights.org/ar/ChronDataBreaches.htm

Page 26: Confidentiality

Giant Eagle Example

Giant Eagle's Loyalty Program Nearly 4 million active users in 2005 User's purchases at both the grocery store and gas

station are knowingly monitored, but still 4 million think the invasion of privacy is worth the savings

Can even link the card to fuel perks, enable check cashing and video rental service!

Also use card at 4,000 hotels, Avis, Hertz, Alamo, numerous local retailers, sporting events, museums, zoos, ballets, operas, etc.

Basically as much info as you're willing to give them they'll take... and use for what else?

Page 27: Confidentiality

Giant Eagle (2)

From the privacy policy: Giant Eagle does not share your personal

information or purchase information with anyone except:

As necessary to enable us to offer you savings on products or services; or

As necessary to complete a transaction initiated by you through the use of your card;

Page 28: Confidentiality

Writing Policies

Ask numerous questions before beginning What information is confidential?

The broader the definition the better (for the discloser) Who should be allowed to access this information?

Create a list and have them sign confidentiality agreements

How long is it to remain confidential? Longer the time frame, the harder to keep confidential

What type of security policy is needed? What sort of organization is it for?

What level of confidentiality is necessary for the given organization?

Page 29: Confidentiality

Further Risk Assessment

Basic questions: Who, what, when, where, why, how?

Who? Who should have access, who shouldn't Ensure they must properly authenticate in order to

access information, so that “who” is ensured non-repudiation

Page 30: Confidentiality

Further Risk Assessment (2)

What? What needs to be kept confidential?

When? How long must it remain secure?

Where? Where is this confidential data going to be safely

stored? File server, workstation, removable media, laptop, etc.

Page 31: Confidentiality

Further Risk Assessment (3)

Why? Law

FERPA, HIPAA, etc. Specified in end-user agreement User trust

How? What means are to be used to ensure it's

protection? Access controls, encryption, physical barriers, etc.

Page 32: Confidentiality
Page 33: Confidentiality
Page 34: Confidentiality

Types of Security Policies

Military Security (governmental) Policy Commercial Security Policies

Clark-Wilson Commercial Security Policy (Integrity) Separation of Duty (Integrity) Chinese Wall Security Policy (Confidentiality)

Page 35: Confidentiality

Military/Government Security Policies

Goal: Protect private information Uses ranking system on levels of confidentiality Need-to-know rule Compartmentalized Combination of (rank; compartment) is its classification Clearances are required for different levels of classification Access based on dominance

Combination of sensitivity and need-to-know requirements

Page 36: Confidentiality

Information Sensitivity Ranking

Unclassified

Restricted

Confidential

Secret

Top SecretMost Sensitive

Least SensitiveUnclassified

Restricted

Confidential

Secret

Top Secret

Compartment 1 Compartment 2

Compartment 3

Ref: Security In Computing - Charles Pfleeger

Page 37: Confidentiality

Commercial Security Policies

Less rigid and hierarchical No universal hierarchy Varying degree of sensitivity

E.g. Public, Proprietary and Internal No formal concept of clearance

Access not based on dominance, as there are no clearances

Page 38: Confidentiality

Chinese Wall Policy

Conflicts of interest Effects those in legal, medical, investment,

accounting firms Person in one company having access to confidential

information in a competing company

Based on three levels for abstract groups Objects

Files Company Groups

Collection of files Conflict Classes

Company groups with competing interests

Page 39: Confidentiality

Chinese Wall Policy (2)

Access control policy Individual may access any information, given that

(s)he has never accessed any information from another company in the same conflict class

So, once individual has accessed any object in a given conflict group, they are from then on restricted to only that company group within the conflict group, the rest are off-limits

Page 40: Confidentiality

Chinese Wall Illustrated

Company ACompany B

Company F

Company ACompany B

Company F

Company CCompany DCompany E

Company C

Company D

Company E

Ref: Security In Computing - Charles Pfleeger

Initially

After choosing B and D

Page 41: Confidentiality

Writing the CA

After considering these various questions, it is time to actually write the policy

Contents should include: Obligation of confidentiality Restrictions on the use of confidential information Limitations on access to the confidential information Explicit notification as to what is confidential

These things should all be considered when writing the policy for the case study

Page 42: Confidentiality

Access controls

Locking down an OS Principle of Least Privilege Password Management User policies

what if someone calls and needs password anti-social engineering

Page 43: Confidentiality

OS Lockdown

Step 1 Identify protection needed for various files/objs

Separate information/data into categories and decide who needs what type of access to it

Distinguish between local and remote access

Step 2 Create associated user groups

Groups derived from first step above Simply create these groups and assign appropriate

members

Page 44: Confidentiality

OS Lockdown (2)

Step 3 Setup access controls

General practices Deny as much as possible Disable write/modify access to any executables Restrict access to OS source/configuration files to admin Only allow appends to log files Analyze access control inheritance

UNIX/Linux specific No world-writable files Mount file system as read-only Disable suid Make kernel files immutable

Page 45: Confidentiality

OS Lockdown (3)

Step 4 Install/configure encryption capabilities

Depending on how confidential information is, either use OS encryption or add 3rd party software to do the job

Necessary if OS access controls are not overly configurable

Step 5 Continue to monitor!

Make sure things are as expected

Source: CERT.org

Page 46: Confidentiality

Database Access

Databases often house an enormous amount of desired data about people (CC#s, SSNs, etc.)

Must pay special attention to access Defense in depth

Only allow specific users access Limit these users as much as possible

Encrypt information in database Encrypt information in transfer

IPSec, SSL, TLS Patch!

Page 47: Confidentiality

Password Policies

Confidential information is protected by some means of authentication, often passwords How confidential the password protected

information is depends on the strength of the password used

Tips: Not dictionary based More than 8 characters (the more the merrier) Combination of letters, numbers, and special chars Not related to user Not related to login name Don't reuse the same password for all accounts!

Page 48: Confidentiality

Encryption for Confidentiality

When to use Anytime you wouldn't want anyone/everyone

to see what you're doing Financial transactions Personal e-mails Anything confidential

Various solutions PGP, S/MIME, PKI, OpenVPN, SSH, SFTP, etc.

Drawbacks/difficulties May not be allowed Not always user friendly Not what used to

Page 49: Confidentiality

Regulated Encryption

Should their be more stringent guidelines for using various encryption techniques? Many in gov't said yes after 9/11 and pushed for

reform Senator Judd Gregg pushed to require that the gov't be

given the keys to decrypt everyone's messages if necessary

Much debate, as terrorist may encrypt messages, and not even NSA can decrypt (so they say)

Would this help? Would the terrorists use encryption methods that the gov't could decrypt and would they provide them with keys? Or is this just a privacy invasion for all non-terrorists?

Page 50: Confidentiality

Email Policy

Popular encryption methods PGP Entrust Hushmail S/MIME

Should employees be allowed to encrypt messages at work? May want to secure confidential business trade

secrets or other work-related data Would you want work related info sent out on a postcard?

May just want to email friends and not be monitored

Page 51: Confidentiality

Email Policy

Clearly define proper use of e-mail at work What is allowed and what is not

State any monitoring activity in confidentiality notice – ensure users know they are being monitored if they are

Specify authorized software that can be used for e-mail Disallow running executable files received as attachments

Could allow for further breaches Define e-mail retention policy

Page 52: Confidentiality

Network policies

Separate servers based on services and levels of confidentiality required

A public file server or database should not also house confidential information

Case study: Various services needed Separate confidential from public Separate by which groups are to be allowed access

Page 53: Confidentiality

Event Network

Internet

Media

Operations (8-9 Servers, ~200

PCs)Organization (10+

Servers, ~400 PCs)

PodiumSchedulingVotingCommunicationsSponsor AccessParticipant Access

FinancialHuman ResourcesContractingCommunicationsPublic RelationsNetwork Operations

Venue

Source: 95-803 course slides

Page 54: Confidentiality

Break Time!

Josh was supposed to bake cookies, but he misplaced his apron - sorry

Page 55: Confidentiality

Confidentiality

• Device and Media Control

• Backups

• Physical Security

• Personnel Security

• Outsourcing/Service Providers

• Incident Response

Page 56: Confidentiality

Device & Media Control

• Device and Media Control

Ref: www.securewave.com

Page 57: Confidentiality

Device & Media – Issues

• What are the issues?

– Growing Pain!!!– Number of devices on the raise– Increased security risk– Technology race for faster, smaller, cheaper and higher

capacity devices • Less than 5 minutes to copy 60GB data• 2GB memory can hold up to 400,000 pages

– Devices are cheap but the information may be expensive

Page 58: Confidentiality

Risks

Page 59: Confidentiality

Privacy Vs Security

Page 60: Confidentiality

Smart Phones

Page 61: Confidentiality

Policy – Device & Media

• Define a device and media control policy

• What to consider?

– Ban the use of all mobile media?– Governing may be more practical then prohibiting the mobile

devices– Identify and list authorized devices/media – Define their acceptable method of usage– Keep track of devices connected to your network– Associate devices to valid users

Page 62: Confidentiality

• What to consider?

– Password protection on all mobile devices– Disallow storing of sensitive information on mobile devices– Encryption– Govern the use of personal devices on corporate

environment– Take into account the convergence of data and telecom– Train and educate your employees on protection of devices

and media

Policy – Device & Media(2)

Page 63: Confidentiality

Device & Media Disposal

• Define a policy for device & media disposal

– Ensure complete sanitization before the equipment/media is re-used (or) disposed

– Provide guidelines on standard for media sanitization– Monitor media disposal by third party– NIST guidelines for media sanitization

http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf

Page 64: Confidentiality

Case Study Options (1)

• Device & Media Control Policy Options

– Classify the information to be protected– Prohibit copying classified confidential information to mobile

devices including laptops/PDA/USB storage etc– Provide printing/e-mailing/download options only for non-

confidential data – Enforce encryption of data on all storage media– Identify and specify authorized type of devices that can be

connected to network

Page 65: Confidentiality

• Device & Media Control Policy Options

– Require wireless devices be registered before getting connected to the network

– Disable any direct external mobile device attachments to network with highly confidential information

– Provide only dump terminals for public/media access so that no external devices can be attached to network

– Ban use of cell phones during private sessions

Case Study Options (2)

Page 66: Confidentiality

Backups

• Backups security often overlooked

• Why are they important?

– Due to concentration of data the degree of confidentiality is as high as original data

– Confidentiality requirements for information apply to backed up data

– HIPAA requires compliance methodologies for backups also.

– Archives/Business History

Page 67: Confidentiality

• Security factors

– Storage of backup data– Transfer of backup data– Security of networks used to backup data– Software & Media

Backups (2)

Page 68: Confidentiality

Backups – Policy (1)

• What to consider?

– Procedure for backups– Allowable software and storage media– Encryption of confidential data– Guidelines for storage– Guidelines to protect the documents with information about

backups – encryption keys, location etc…– Patches for backup software

Page 69: Confidentiality

• What to consider?

– Inventory – Testing– Security of networks used for backups– Garbage collection of obsolete backups– Sanitization of backup media before disposal– Transportation methods

• Procedures

http://csrc.nist.gov/fasp/FASPDocs/contingency-plan/Backup-And-Recovery.pdf

Backups – Policy (2)

Page 70: Confidentiality

Physical Security

• Why is it required?

– First line of defense preventing loss of confidentiality– Physical attacks requires minimal effort– Protects information assets from unauthorized access– All security policy enforcements will be a non-factor without

physical security– Security lapses increases risk of both insider and outsider

attacks– Protects confidential information assets from natural and

environmental hazards

Page 71: Confidentiality

• Privacy Vs Security• Appropriate levels• What can we do?

– Consider multilayer security approach – Environment of authorized personnel only– Physical barriers like fence, guards, alarms and surveillance

video etc..– Maintain an inventory of computer hardware and label them

for identification– Limit access to your hardware

Physical Security (2)

Page 72: Confidentiality

• What can we do?– Deploy your servers with confidential information only in

physically secure locations– Restrict physical access to your information assets by third

parties. – Document visit procedures and method of access for third

parties– Conduct periodical physical security audits for compliance– Enforce security practices to prevent dumpster diving– National Industry Security Program Operating Manual –

NISPOM http://www.fas.org/sgp/library/nispom/nispom2006.pdf

Physical Security (3)

Page 73: Confidentiality

Insider Threat

Page 74: Confidentiality

Personnel Security

• Importance?– Insider threats are real – Employee security practices play a vital role in protecting confidential information

• What to consider?– Employment terms needs to include role and responsibility of employee in

protecting confidential information– Employment terms must state penalties for violation– Carry out background checks – Training on security– Training on protection of trade secrets and intellectual property rights– Employees are also part of corporate assets– Protect and safeguard employees

Page 75: Confidentiality

Outsourcing

• Confidentiality Issues

– Reduction in cost but increases risk– Dependence on service providers– Can the vendors be trusted with handling confidential data?– Vendors may be handling data and dealing with information

systems of competing companies– Offshore – Can US regulations be enforced on third world

countries? – Non-disclosure agreements in offshore projects– Can all institutions outsource?

Page 76: Confidentiality

• Mitigation of Risks

– Define goals, scope and risks– Assess information risk Vs benefits– Evaluate service provider’s capability to handle confidential

information– Determine contractors ability to comply with security

requirements– BITS – IT Service Provider Service Expectations Matrix

http://www.bitsinfo.org/downloads/Publications%20Page/bitsxmatrix2004.xls

Outsourcing (2)

Page 77: Confidentiality

• Evaluate Service Providers (BITS Method)

– Security Policy– Organizational Security– Asset Classification & Control– Personnel Security– Physical & Environment Security– Communications and Ops Management– Systems Development and Maintenance– Business Continuity– Regulatory Compliance

Ref: www.bitsinfo.org

Outsourcing (3)

Page 78: Confidentiality

• Privacy and Confidentiality Considerations

– Review privacy policy of the service provider for adequacy– Understand how the policy is implemented and

communicated– Review privacy policy employee training and tracking– Review service providers employee confidentiality

agreements– Review service provider policy for employee privacy policy

violations

Ref: www.bitsinfo.org

Outsourcing (4)

Page 79: Confidentiality

• Privacy and Confidentiality Considerations

– Review adequacy of privacy for service providers contract staff

– Review procedures to retain, protect and destroy non-public information

– Access service providers diligence in legal, regulatory and compliance areas

– Comparing the company’s privacy policy with service providers policy and identifying gaps

– More http://www.bitsinfo.org/downloads/Publications%20Page/bits2003framework.pdf

Ref: www.bitsinfo.org

Outsourcing (5)

Page 80: Confidentiality

Options For Case Study

• Service Provider Policy Considerations– Evaluate the vendors privacy policy including the venue of

the event for adequacy– Require vendors to prove compliance before the finalization

of contract– Have all third parties/vendors sign NDA – Ensure through background checks before hiring contract

staff for the event

– Include all confidentiality agreements in contract and severe penalty clause for lapses

Page 81: Confidentiality

Incident Response (1)

• Purpose?

– Effective and quick response necessary to limit the damage– Regulations calls for corporate incident policies and

procedures– Policy and plan required to assess the damage and respond

appropriately– Plan for recovery from the damage and business continuity– Improves your chances of survival after breach

Page 82: Confidentiality

Incident Response (2)

• Policy Considerations

– Define incident reporting and handling work flow– Identify incident handlers and their responsibilities– Educate and train your employees on incident reporting– Legal Compliance– Procedures to contact law enforcement– Evidence collection– CERT Handbook

http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html

Page 83: Confidentiality

Trust

• Reason?– Confidentiality relies highly on trust – Employer trusts employee– Employer trusts service providers– Trust hardware– Trust software

• Is it sufficient? – Trust but deploy controls/procedures to validate trust

Page 84: Confidentiality

Conclusion

• Confidentiality – Not optional!!• Legal and regulatory compliance• Secure all the doors to confidential information• Policy and controls will provide relative security • Policy and controls will improve chances of survival

No Guarantee!!!

Page 85: Confidentiality

Questions