unsolved issues in security and privacy protection gio wiederhold professor emeritus computer...
TRANSCRIPT
Unsolved Issues in Security and Privacy Protection
Gio WiederholdProfessor Emeritus
Computer Science, EE, and Medicine
Stanford University
& MITRE CEC
http:infolab.stanford.edu/TIHI
February 2009Apr 20, 2023 Gio Wiederhold 1
:
SecuritySecurity: protection and assurance: protection and assurance
Crucial progress in protection has been made:
Remote Transmission Authentication
Firewalls around domains
protect against enemies.
Much research based on Cryptography
Are we done?Apr 20, 2023 Gio Wiederhold 2
What does not work? How to find out?
Don’t look for problems that fit your solution• Look at recently published problem lists
Found about a dozen top 10 issues lists
• Observed: 2 categories1. Lists by technologists – 91 software faults, etc.
Interesting, but less relevant as guidance Note that Microsoft’s list focuses on misuse . . .
2. Lists by user organizations – 56 break-ins etc.Needed a categorization to provide guidance
Note: Did not use the 2005 NIST/MITRE CVE repositoryof checklistsApr 20, 2023 Gio Wiederhold 3
Categorization of Problems sources: technical users notes
Poor SW 48% ↑ 27%↓ buffers, interfaces
Hacking 13% ↓ 34%↑ external theft
Theft 10% ↓ 23%↑ internal theft
Sloppiness 15% ↑ 2% ↓ weak password etc.
Poor staff 12% ↑ 4% ↓ includes management
Stupidity 5% 5% from phishing etc
Lost stuff 2% ↓ 5% ↑ numbers are huge
bias bias
Apr 20, 2023 Gio Wiederhold 4
problem
}
Many Victims of Record Release
Apr 20, 2023 Gio Wiederhold 5
From: Sasha Romanosky, Rahul Telang and Alessandro Acquisti: Do Data Breach Disclosure Laws Reduce Identity Theft? ; CMU Heinz School, Working paper, 19 Sep. 2008.
≈ US population
Model of major problems : software, external + internal theft
Information Apr 20, 2023
Gio Wiederhold 6
Good girl
Bad apple Hacker
requests
result
Password files for Lockcrack.
(seed with traps)
Export sniffed PWs
Creditcard nums.
Email addresses.
Social Sec.Nums.
… … ...
leaks
Vipin Swarup:resilience consequences
or nice
Decide where your solution fits
Information
Role-based control
Good/ bad guySecurity officer
Databaseadmin
performance,function requests
validatedto be O.K.
blessed request
:-(
O.K./ wrong request
-)oooo
Clean/ suspect
Authentication based control
Release control
Apr 20, 2023 Gio Wiederhold 7
results
trusted
naughty or unverifiable contents
roles
naughty
O.K./ risk
security needs
viruscheck
1. Software: 2 major citesBuffer overflow 48%/SW
Languages in use have• Do not keep metadata
– Allocated size– Entry size
• Do not exploit metadata– Check with every insert
• Performance hit– Mitigated by parallel check– Exploit multi-core
• Can be done! [PL/ACME 1967,
C string processing makes it awlward]
Insecure Interfaces 34%/SW
Multi-source modules• No / incompatible metadata• Need broad testing tools
– Not a supplier responsibility– Change is frequent
• When to apply?– During build, often at customer– During execution: Performance hit
• New methods are needed– Who will develop them?
Apr 20, 2023 Gio Wiederhold 8
C
2. Role-based controlFalse Assumption that roles match retrievable data
• Role-based Access rights assume a partitioning of data• Domain data are partitioned accord to internal needs• Partitions only match roles in simple / artificial cases
database access &database access &authorization agentauthorization agent
data sources aredata sources arerarely perfectlyrarely perfectlymatched to allmatched to allaccess rightsaccess rights
customercustomer resultresult
queryquery
AuthenticationAuthenticationVirus checkVirus check
firewallfirewall
Apr 20, 2023 Gio Wiederhold 9
Access Patterns versus Data:
Lab
ora
tory
Bill
ing
Patient
Accounting
Physician
Insurance Carriers Insurance Carriers
Clin
ics
Laboratory staff
Ward staff
Medical
Medical
Research
Research
Ph
arm
acy
Inp
atie
nt
Etc..
A
ccre
dit
atio
nA
ccre
dit
atio
nCDC
Apr 20, 2023 Gio Wiederhold 10
:
3. Theft is not prevented3. Theft is not prevented
Assumption
If container and entry is secure
outgoing results need not to be checked
Wrong:
1. Hackers and bad apples still manage to get inside
2. Data partitioning can never be perfect.
3. Conflict internal/external access roles and structure
4. Assurance against any possible misfiling is unaffordableApr 20, 2023 Gio Wiederhold 11
Commercial outgoing filters• Ponemon Institute [Tucson, AZ] & Vontu [San Francisco CA]
Filters outgoing email only
• Reconnex [Mountain View CA]Filter appliance on outgoing IP port
• RSA division of EMC [San Mateo, CA]Linguistic pattern matching on outbound traffic
• Symantec [Cupertino CA] outgoing viruses• Vericept [Englewood, CO] Internet traffic filter
• Vertasys – consultants [Wyomissing PA]• Websense / ex Vidius [Beverly Hills, CA, Tel Aviv Israel] from IDF
Information leak prevention, Content analysis, embarrassing terms.
• Zix [Cambridge MA]Content filtering, forces encryption
Problem recognized, but not yet a Science
Apr 20, 2023 Gio Wiederhold 12
Choice of paranoia: Naughty versus unverifiable contents.None for statistical data
1. Individual patient care needs Incompatibility among 300 EHR providers
2. Medical research needs broad interoperation
3. Drug manufacturers hold an increasing fraction of data 4. Insurance companies feared, more than rational
5. Patient wishes so complex they are ignoreda) Release nothingb) Release selected onlyc) Release most, except selectedd) Release it all
6. Rules imposed by wimpy bureaucrats Apr 20, 2023 Gio Wiederhold 13
Conflicts in health care privacy
i. Release only to own provider ii. Release to any provideriii. Release for medical research
X
[J. Marquard, UofM Amherst & P. Brennan, U.Wisc :
Are we crying wolf? JHIM 2009]
Assigning the Responsibility
Database Administrator– Can create views limiting access in RDMSs– Prime role is to assure convenient data access
Network Administrator– Can restrict incoming and outgoing IP addresses
– Prime role is to keep network up and connected
Specialist Security OfficerPrime responsibility is security & privacy protection
Funds implementation of security policy
Interacts with database & network administrators
Conflicting duties, as Human Resource management
:-(:-|
:-)
Apr 20, 2023 Gio Wiederhold 14
Selling Security• NSF
Reviewers prefer novelty over effectiveness• NIH/ NLM
No credible specifications. It’s all software • DHS Large fraction technology transition
• Industry– There is rarely an economic business focus
No profit center is associated with security– Often the wrong people are in charge
Apr 20, 2023 Gio Wiederhold 15
No quantified economic model
• Costs of being secure are high and the
Costs of maintaining security are yet higher
• The benefits are not visible when it worksEqual to Bush’s problem: did the Patriot Act prevent attacks?
• The costs of failures are hard to quantifyMainly high volume low cost/exposure
Failures are often dealt with by lawyers / meaningless actionSecurity admin gets replaced (and hired somewhere else)
Apr 20, 2023 Gio Wiederhold 16
The issue of data security is not solved
1. Crucial holes are poorly addressed
2. The economic model is weak
3. Funders & reviewers look for novelty
4. Software developers do not benefit from integrating security in their products
5. Complex rules are imposed
6. Inappropriate folk are in charge of $ & useApr 20, 2023 Gio Wiederhold 17
Summary: It’s not all technical
Apr 20, 2023 Gio Wiederhold 18