security and privacy cagliari 2012
Post on 19-Oct-2014
641 views
DESCRIPTION
Lecture to PhD student summer school on security and privacy from financial industry and consumers perspectivesTRANSCRIPT
Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
Perspectives on consumers privacy and security tradeoffs
Marco Morana
Global Industry Committee
OWASP Foundation
Summer School on Computer Security & Privacy 27-31 August 2012
OWASP
Do you know OWASP ?
2
OWASP
About myself and my career journey
3
OWASP
Privacy is one of the biggest problems in this new electronic age…
4
…At the heart of the Internet culture is a force that wants to find out everything about you. And once it has found out everything about you and two hundred million others, that's a very valuable asset, and people will be tempted to trade and do commerce with that asset. This wasn't the information that people were thinking of when they called this the information age
What I've Learned: Andy Grove Former Chairman of Intel, 63, Santa Clara, California
http://www.esquire.com/features/what-ive-learned/what-ive-learned-archive
OWASP
Presentation Objective & Agenda
Objective: different perspectives in regarding of privacy and the trade offs between different needs of consumers and businesses and future trends
Agenda
PART I: Doing business with customers' private information
PART II: Threats to consumers private information and measures to protect it
PART III: Future trends affecting data privacy
5
OWASP 6
PART I Doing Business with Customer’s Private
Information
OWASP
Factors that Limit Personal Privacy
7
Personal Data Privacy
Law Enforcement
Social Networking
Targeted
Marketing
Taxation
OWASP
Factors that Enable Personal Data Privacy
8
Anonymity
Data Privacy Laws & Controls
Confidentiality
Security Controls (e.g. Encryption)
Personal
Data Privacy
OWASP
…about Privacy
9
1. Privacy is a personal right
2. There are different types of privacy, health, political,
race/sex etc financial privacy is important for the
avoidance of fraud, identity theft
3. Privacy is traded off with different needs such as
networking, business, marketing, compliance, law
enforcement
4. Businesses collect, process and store customers’ private
and confidential information for different reasons
5. Data confidentiality and privacy have similar goals
6. New technologies such as social networks, online services, cloud computing challenge the notion of personal privacy
7. Perspectives about privacy change with time
OWASP
Private And Personal Identifiable Information
10
Private information and Personal Identifiable Information (PII) uniquely indentify an individual. What is private and PII varies among countries, e.g.:
US SB1386: Name and SSN, Driven
License No., Account /Credit/Debit
Acc No + PIN
EU directive 95/46/Article 2a:
'personal data any information
relating to an identified or
identifiable person, identification
number or to one or more factors
specific to his physical,
physiological, mental, economic,
cultural or social identity
OWASP
Data Breach Notification Rules in Italy
11
.. Legislative Decree 69/2012 (into force since June 1st 2012 implementing in Italy Directive no. 2009/136/EC):
Definition of personal data breach a breach of security leading to the accidental destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
Procedures to deal with a personal data breach:
Shall notify the Italian Data Protection Authority (“DPA” or Garante) without undue delay (e.g. 72 hrs for ISPs);
Shall notify the subject but the notification unless the provider is able to give evidence to the DPA that it has implemented appropriate security measures
Failure or delay to notify a personal data breach to the DPA is sanctioned with a fine ranging between EUR25,000 to EUR150,000
OWASP
Trade offs Between Business and Privacy Needs
12
Collection, Processing of Customers PII (C-PII) and Sensitive Info.
Sharing of C-PII and personal information with 3rd parties/affiliates
Compliance with privacy laws, data breach notification laws and security policies
Protection of C-PII and sensitive information in storage and transmission
Disclosure & Consent to which 3rd parties and affiliates C-PII is shared with
Notifications to customers when private data is collected and is either lost or compromised
OWASP
Collection and Processing of PII
13
..in case of financial institutions, PII is:
Collected online and at a branch when opening bank accounts, apply for loans, run credit report, apply for credit cards, online banking
Processed and stored to identify/verify customer by asking the last for digits of SSN and ACC# for example:
Over the phone for bank account balance and payments of bills
Online user validation for resetting a password/PINs
Online for authenticate a user with challenge/questions
OWASP
Collection and Processing of PII Examples
14
OWASP
Private Data Collection Examples
15
OWASP 16
PART II Threats to private information and measures to
protect it
OWASP
Statistical Data of Data Loss Incidents (*)
17
Hacking and external attacks are the major cause of private data losses and increasing (32% to 61% and 53% to 75% )
NAA, SSN, DOB represent the majority of private data record last year, this year are PWD, EMA and SSN
(*) Source: DataLossDb.org http://www.datalossdb.org
OWASP
…In the space of one hour, my entire digital life was destroyed.
18
First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook
(*) Source:How Apple and Amazon Security Flaws Led to My Epic Hacking http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
.. all you need in addition to someone’s e-mail is a billing address and the last four digits of a credit card
OWASP
Cost to Businesses for Loss of PII
19
1. Data breach costs x data record lost: $ 222/record (*)
2. Out of pocket costs x identity fraud incident: $ 631/victim/incident (**)
(*) Source: 2011 Cost of a Data Breach: United States, Ponemon Institute and Symantec, March 2012
(**) Source: The 2011 Identity Fraud Survey Report by Javelin Strategy & Research by Javelin Strategy & Research http://www.identityguard.com/downloads/javelin-2011-identity-fraud-survey-report.pdf
OWASP
Security Measures And Protection of Privacy
20
Business protect their customers private information with:
Information Security Policy: Requirements
for protection of Confidentiality, Integrity and
Availability (CIA) of customers private data
Data classification: Public, Internal,
Confidential, PII, Restricted
Security measures:
Controls: Authentication, Entitlements,
Encryption, Session Management,
Auditing & Logging;
Measures: Security Audits;
Information Security and Privacy Officers
OWASP
Opt out Privacy Controls: Privacy Notices From US Banks
21
OWASP
Opt In Privacy Controls: Cookies & Preferences
22
OWASP 23
PART III Future trends affecting data privacy
OWASP
Individuals’ Awareness of Privacy
24
“Maybe Zuckerberg is right. The mores of privacy are changing, and “people don’t want complete privacy.” Teens may be the first adopters of this change, Source
http://trends.myyearbook.com/2010/07/facebook-privacy-issues-not-an-issue-for-teens/
OWASP
Adoption of New Technologies And New Challenges For Consumer’s Privacy
25
Internet Webmail
Smart-phones
Social Networks
Biometric Authentication
Big data
BYOD
Cloud computing
Location aware applications
Mobile Payments
Social Analytics
Face Recognition
Gesture Recognition
Virtual Assistants
Internet of things
Social TVs
2005
2010
2017
2000
2007
2012
2015
1997
OWASP
Company’s Privacy Practices Are Increasingly Under Scrutiny
27
OWASP
Future Privacy Legislations in EU
28
1. EU regulation for 27 countries
2. Any processed PII data for EU citizens (include IP addresses, GPS location data)
3. 24 hours data breach notification
4. Mandatory security assessments
5. EU citizens will have the right to request extended erasure of their personal data
6. Fines up to 2% of company annual worldwide turnover
(*) Source:http://www.donneespersonnelles.fr/6-things-you-need-to-know-about-the-new-eu-privacy-framework
OWASP
Open Questions
29
Questions for consumers:
1. What are my privacy rights ?
2. How I can control my privacy ?
3. Which PII can be disclosed and to who ?
4. Who is legally liable for PII data that is lost
Questions for businesses:
1. Which are the privacy rights of my customers ?
2. Which security policies protect customer’s PII in compliance with privacy laws?
3. How soon I need to inform my customers of a breach of PII and/or identity theft fraud ?
4. When customers PII can be disclosed to law enforcement ?