MIST 2012Panel Discussion: “Key Challenges in Defending Against Insider Threats”

Ruo AndoNational Institute of Information and

Communication TechnologyTokyo, Japan

Outline: insider threat and data leakage

Information leakage is one of the most serious damages caused by insider threat. In this talk, I will introduce some key issues about ex-post countermeasures of information leakage

①First, "Data lives forever" problem is introduced. Once sensitive information is leaked over Internet, we have no effectivecountermeasures to nullify it. Some topics such as advanced secret sharing and right to be forgotten will be noted. ②Second, I will talk briefly about "Data sovereignty" to provide a logical and technical basis for tracking spread information. PDP (provable data possession) could be one of solutions.

Finally, I will present some actual cases about these problems.

Insider Threats and Information leakage

Stolen document14%

LostTape 14%

Disposal Document 14%

Data lives forever:Once sensitive data is released to network, it circulates forever.

Information leak: retroactive disclosureSensitive data could retrieved and retroactivated as offense.

2012/11 http://www.datalossdb.org

Attacks from outside by hackingis motivated for botNet, FaaS etc.

Data Leakage is one of the main purpose of insider attack. Besides, this kind of threat causes retroactive disclosure.

Incidents by Breach Type

Social Engineering And APT is sometimes So hard to be prevented Technically.

Can retroactivation as offense be mitigated ?Is ex-post countermeasure possible ?

　 2008 2010

Trojans, Virtuses, other malware 54 78

Spyware 48 74

Hackers 41 67

Employees exposing information

52 66

Equipment misconfiguration 41 61

Application Vulnerabilities 44 59

Spam 39 58

Data stolen by trusted party 38 53

Insider sabotage 34 49

Top threats to enterprise securityIDC’s survey

Is it possible to preventUploading sensitive files ?

2012/08Dropbox Confirms User Email Leaks – Adds Additional

Protection

Is it unstoppable even if we adopt domain seizure in Amazon EC2 ?

DLP can protect sensitive data sent from SNS ?

Japan’s case: information leakage via P2P networks

2009/04/02: Tokyo Rinkai Hospital – a list of 598inpatients information

2009/01/08: National Information-Technology Promotion Agency - a database of Ministry of Internal Affiars and National Patent Office

2010/10/30 Metropolitan Police Department taking charge of international terrorism splits a

confidential list over P2P networks

2008/03/22National Bank of

Japan leaks Confidential insider

information

2005/06Documents of nuclear power

plant of Mitsubishi was leaked.

Data Sovereignty in Cloud computing era

Data Sovereignty :- the coupling of stored data authenticity and geographical location in the cloud

However, as Cloud computing environment has become international, securing data sovereignty is harder and harder.

Technology of geolocation could be cheated. PDP (Provable Data Possession) could be one of the solutions for this problem.

A Position Paper on Data Sovereignty: The Importance of Geolocating Data in the Cloud Zachary N. J. Peterson, Mark Gondree, and Robert Beverly. USENIX Hot

Cloud 2011

Giuseppe Ateniese, Randal C. Burns, Reza Curtmola, Joseph Herring, Lea Kissner, Zachary N. J. Peterson, Dawn Xiaodong Song: Provable data possession at untrusted stores. ACM

CCS 2007

"Data lives forever" problem

• Wiki Leaks

WikiLeaks is an international organization that publishes submissions of

otherwise unavailable documents from anonymous sources and leaks.

On July 25, 2010, WikiLeaks released to The Guardian, The New York

Times, and Der Spiegel over 92,000 documentsrelated to the war in

Afghanistan between 2004 and the end of 2009.

• “Right to forget and delete”

European Commission sets out strategy to strengthen EU data protection

rules Nov 2010. “Controlling your information, having access to your data,

being able to modify or delete it – these are essential rights that have to be

guaranteed in today's digital world. “

P2P security VANISH: self destructing data

Roxana Geambasu, Tadayoshi Kohno, Amit Levy, Henry M. Levy. Vanish: Increasing Data Privacy with Self-Destructing Data. In Proceedings of the USENIX Security Symposium, Montreal, Canada, August 2009.

Technology: Secret sharing protocol and DHT

In vanish system, shared file is disappeared from network in a fixed interval.

Bob sends {C,L} to Alice. VANISH is implemented for Vuse DHT.

RANDOM INDEXES (L)

Data, timeout

K1

K2

KN

C=Ek(data)

Data, timeout

RANDOM INDEXES (L)

data=Dk(C)

{C,L}

P2P security UNVANISH: reconstructing data

Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTsScott Wolchok, Owen S. Hofmann, Nadia Heninger, Edward W. Felten, J. Alex Halderman, Christopher J. Rossbach, Brent Waters, and Emmett Witchel, Network and IT Security Conference: NDSS 2010

UNVANISH mounts sybil nodes into DHT to replicate Ek hash to reconstruct data.

RANDOM INDEXES (L)

Data, timeout

K1

K2

KN

C=Ek(data)

Data, timeout

RANDOM INDEXES (L)

data=Dk(C)

{C,L}

UNVANISH

Example:Propagation speed over DHT network

node

0

2000000

4000000

6000000

8000000

10000000

12000000

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

diff

10000

100000

1000000

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

In first 4 hours, we can obtain

more than 4000000 peers!

After 5 hours, Δ （ increasing) become stable

Bit Torrent traffic rate of all internet estimates

“① 55%” - CableLabs About an half of upstream traffic of CATV.

“② 35%” - CacheLogic“LIVEWIRE - File-sharing network thrives beneath the Radar”

“③ 60%” - documents in www.sans.edu“It is estimated that more than 60% of the traffic on the internet is peer-to-peer.”