moving towards privacy-aware security james r. elste, cissp, cism, cgeit security strategist privacy...

33
Moving Towards Privacy-aware Security James R. Elste, CISSP, CISM, CGEIT Security Strategist Privacy by Design Research Lab, March 23, 2010

Upload: arleen-booth

Post on 25-Dec-2015

224 views

Category:

Documents


0 download

TRANSCRIPT

Moving Towards Privacy-aware Security

James R. Elste, CISSP, CISM, CGEIT

Security Strategist

Privacy by Design Research Lab, March 23, 2010

EDUCATION

• BS in Business Administration, University of Texas at Dallas

• MS in Information Assurance, Norwich University (NSA Center of Academic Excellence)

• Certified Information Systems Security Professional (CISSP)

• Certified Information Security Manager (CISM)

• Certified in the Governance of Enterprise Information Technology (CGEIT)

EXPERIENCE

• 20+ years of professional IT experience, 10+ years of specialization in Information Security

• Former Director, IS Security & Internal Controls, International Game Technology

• Former Chief Information Security Officer, State of Nevada

• Former Chief Security Officer, Commonwealth of Massachusetts, Health & Human Services

• Information Security Consulting Background

– I.B.M., Security & Privacy Services

– Ernst & Young, LLP, Information Security Services

– Independent Security Consultant

Credentials

Risk = Uncertainty that Matters

Elste’s Security Syllogism

Information has value

We protect things of value

Therefore:We must protect information

Elste’s Proof

Security vs. Privacy

PRIVACYWHAT (WHY) information needs to be

protected

SECURITYHOW to protect information

Bill Boni

CISO, Motorola

The Changing Threat Landscape

Data BreachesData Breaches

Global Intelligence NetworkIdentifies more threats, takes action faster & minimizes impact

Information ProtectionPreemptive Security Alerts Threat Triggered Actions

Global Scope and ScaleWorldwide Coverage 24x7 Event Logging

Rapid Detection

Attack Activity• 240,000 sensors• 200+ countries

Malware Intelligence• 130M client, server, gateways monitored• Global coverage

Vulnerabilities• 32,000+ vulnerabilities

• 11,000 vendors• 72,000 technologies

Spam/Phishing• 2.5M decoy accounts

• 8B+ email messages/day• 1B+ web requests/day

Calgary, Alberta

Culver City, CAMountain View, CA Austin, TX

Alexandria, VA

Reading, EnglandDublin, Ireland

Chengdu, ChinaTokyo, Japan

Sydney, AU

Chennai, India

Pune, India

Taipei, Taiwan

San Francisco, CA

• Attackers are increasingly targeting end users by compromising high-traffic, trusted websites.

• Attackers are moving their operations to regions with emerging Internet infrastructures and, in some instances, developing and maintaining their own service provisioning.

• Cross-functional industry cooperation in the security community is becoming imperative.

Internet Security Threat Report XIVOverarching Themes

Internet Security Threat Report XIVGrowth in New Threats

Data Breaches Identities Exposed

Internet Security Threat Report XIVData Breach Trends

Threat Agents

Malicious Insiders

Hackers and Cyber-Criminals

Well-meaning Insiders

• According to Ponemon Institute, the average cost of a lost or stolen laptop PC is more than $49000.

• In July 2006, a U.S. government-owned laptop with thousands of Florida driver’s license records was stolen from a vehicle in Florida while an official ate lunch inside a restaurant.

• Stolen or lost laptops are the most common type of data breach. Companies report the losses at a much higher rate than any other type of data breach.  However, there’s a public misperception that these missing machines translate into identity theft.  Most laptops are “fenced” for their hardware value, not for the confidential information

• Solution = Encryption + DLP + Asset Management + Regular Backups

Data Breach #1: Lost LaptopAn Avoidable Breach

Well meaning insiders

Data Breach #2Data Spillage

SETUP

– Security team detected data theft incident. Knew they were in trouble

– Crucial missing information: where did the hackers gain access to the data?

– Called Symantec to help them answer this question

WHAT WE DID

– Symantec found the original target of the hacker’s efforts

– A software development team had copies of employee data

RESULT

– Internal data spill event was identified and addressed

– Symantec instrumental in the cleanup

Insiders and HackersInsiders and Hackers vs.Cyber

Criminals vs.US GovernmentAgency

Well-meaningInsider

Understanding the Exposures

Social Media Security RisksSocial Media Security Risks

Four Epochs of IT

DataCenter

•Terminals

•PhysicalSecurity

DistributedNetworks

•Thick-Client

•Anti-Virus

Web-enabledNetworks

•Thin-Client

•GatewaySecurity

•Monitoring

“Social Media”Networks

•User-managed

•Data Loss Prevention

0 D/C 1980s 1990s 2000s

Social Media Security RisksOverview

• Dr. Mark Drapeau and Dr. Linton Wells at the National Defense University (NDU) define social media as social software, “applications that inherently connect people and information in spontaneous, interactive ways.”

• As of 2008, Facebook had 132 million users, and Myspace 117 million users [Reisinger, Don. “10 Ways IT Managers Can Deal with Social Media.” eWeek. July 17, 2009 <http://www.eweek.com/c/a/Security/10-Ways-IT-Managers-Can-Deal-with-Social- Media>]

• Metcalf’s Law: Total possible connections = N2

• Four Use Cases: – Inward Sharing – internal collaboration sites

– Outward Sharing – communication with external entities or sites

– Inbound Sharing – online polling or “crowdsharing”

– Outbound Sharing – participation in public social networking sites[Guidelines for Secure Use of Social Media by Federal Departments and Agencies – Sept 2009]

Social Media Security RisksExternal Exposure Risks

• Inappropriately externalizing confidential/sensitive information• Personal/Professional Separation• Account Hijacking• Privacy Issues and Identify Theft• Harassment and Cyber-bullying• Information Obsolescence• Information Harvesting• Evolving exposures from Location-aware Mobile Social Networks

(LAMSN)

Social Media Security RisksInternal Compromise Risks

• Malware and Targeted Malware

• Spearphishing– 2006 MySpace phishing attack compromised 34,000 usernames and

passwords

• Web Application Vulnerabilities– Open Web Application Security Project (OWASP) Top Ten

• XSS

• New attacks & expolits are emerging on a regular basis

Social Media Security RisksMalware example: Koobface• The Koobface worm and its associated botnet have gained notoriety in security

circles for its longevity and history of targeting social networking sites. First surfacing in 2008 within MySpace and Facebook, the worm resurfaced in early 2009, this time targeting Twitter users.

• By using Phishing techniques, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player.

• 11/10/2009 - As part of a new Koobface attack, links to Google Reader URLs controlled by cyber-criminals are being spammed by Koobface onto social network sites, including Facebook and MySpace. The hundreds of Google accounts involved host a page with a fake YouTube video. Attempts to view this supposed video expose Windows users to infection by Koobface.

• Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers.

• Anagram of FACEBOOK

Social Media Security RisksMitigation Strategies - Technical

• Shift to an information-centric protection paradigm, rather than a system-centric protection paradigm– Data Loss Prevention

– Data Classification & Labeling Guidelines

– Digital Rights Management

• Enhanced Endpoint Protection– Anti-malware

– Endpoint Firewall

– Intrusion Prevention

• Vulnerability and Patch Management

Social Media Security RisksMitigation Strategies – Non-Technical

• Update Policies to reflect the Appropriate Use of Social Networks

• Enhance Security Awareness Training

• Develop an enforceable process for information review and disclosure authorization

Data Loss Prevention Three Crucial Questions

DATA LOSS PREVENTION (DLP)PROTECTMONITORDISCOVER

How best toprevent its loss?

How is it being used?

Where is yourconfidential data?

Data Loss PreventionKey Functions

MANAGE

• Find data wherever it is stored

• Create inventory of sensitive data

• Manage data clean up

• Understand how data is being used

• Understand content and context

• Gain enterprise-wide visibility

• Gain visibility into policy violations

• Proactively secure data

• Prevent confidential data loss

DISCOVER PROTECTMONITOR

• Define unified policy across enterprise

• Detect content accurately

• Remediate and report on incidents

MANAGE

MANAGE

DISCOVER

• Enable or customize policy templates

• Remediate and report on risk reduction

MONITOR

11

22 33

PROTECT

44

55

• Inspect data being sent

• Monitor network & endpoint events

• Block, remove or encrypt

• Quarantine or copy files

• Notify employee & manager

Data Loss PreventionHow it Works

DLP / CCS Integration –Key Use Cases & Benefits

Use Case Benefits

I. Content-Aware Technical Controls Assessment

• Discover & enumerate assets with sensitive information

• Prioritize compliance assessments based on type of information

• Ensure effective remediation of non-conformance through closed- or open-loop remediation

II. Integrated Compliance Dashboards

• Gain full view of compliance posture, through integrated reporting of technical, procedural, and data controls

I. Content-Aware Technical Controls Discovery

Servers with PCI data

Inspect Content and Record

Incidents

Scan and Retrieve Data11

22

33 Send incident and asset info

Key Benefits:• Align technical controls and risk policies with the content living on assets

• Risk reduction and compliance that addresses the most sensitive information

44 Scans assets to assess server compliance

II. Integrated Compliance Reporting

11

22

33

Send incident and asset info

44

Map incidents to regulations & policies

Measure and report on compliance to regulatory

requirements

Consolidate info on both DLP policy violations

and compliance data in dashboard views

Technology Benefits vs. Privacy Consequences

• Electronic Medical Records– Effective treatment (+)

– Embarrassment (-)

– Discrimination (-)

• Electronic Voting– Accuracy and accountability (no hanging chads) (+)

– Discrimination or Recrimination (-)

• Personally Identifiable Information & Identity Theft– Not a long-term issue

– Significantly reduced by removing the profit motive

– Eliminated by Identity “Chains of Trust” & “Indelible Identities”

Final thoughts

• “Security” is essential to facilitate and preserve “privacy”

• There are numerous ethical issues that must be addressed as we continue to evolve our information society. Some that transcend technology and some that are manifest as a result of technology

http://trendsmap.com/

George Orwell

1984

“But it was all right, everything was all right, the struggle was finished. He had won the victory over himself. He loved Big Brother.”

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

James R. Elste, CISSP, CISM, CGEIT

[email protected]