moving towards privacy-aware security
DESCRIPTION
Moving Towards Privacy-aware Security. James R. Elste , CISSP, CISM, CGEIT. Security Strategist. Privacy by Design Research Lab, March 23, 2010. Credentials. EDUCATION BS in Business Administration, University of Texas at Dallas - PowerPoint PPT PresentationTRANSCRIPT
Moving Towards Privacy-aware Security
James R. Elste, CISSP, CISM, CGEIT
Security Strategist
Privacy by Design Research Lab, March 23, 2010
EDUCATION
• BS in Business Administration, University of Texas at Dallas
• MS in Information Assurance, Norwich University (NSA Center of Academic Excellence)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified in the Governance of Enterprise Information Technology (CGEIT)
EXPERIENCE
• 20+ years of professional IT experience, 10+ years of specialization in Information Security
• Former Director, IS Security & Internal Controls, International Game Technology
• Former Chief Information Security Officer, State of Nevada
• Former Chief Security Officer, Commonwealth of Massachusetts, Health & Human Services
• Information Security Consulting Background
– I.B.M., Security & Privacy Services
– Ernst & Young, LLP, Information Security Services
– Independent Security Consultant
Credentials
Risk = Uncertainty that Matters
Elste’s Security Syllogism
Information has value
We protect things of value
Therefore:We must protect information
Elste’s Proof
Security vs. Privacy
PRIVACYWHAT (WHY) information needs to be
protected
SECURITYHOW to protect information
Bill Boni
CISO, Motorola
The Changing Threat Landscape
Data BreachesData Breaches
Global Intelligence NetworkIdentifies more threats, takes action faster & minimizes impact
Information ProtectionPreemptive Security Alerts Threat Triggered Actions
Global Scope and ScaleWorldwide Coverage 24x7 Event Logging
Rapid Detection
Attack Activity• 240,000 sensors• 200+ countries
Malware Intelligence• 130M client, server, gateways monitored• Global coverage
Vulnerabilities• 32,000+ vulnerabilities
• 11,000 vendors• 72,000 technologies
Spam/Phishing• 2.5M decoy accounts
• 8B+ email messages/day• 1B+ web requests/day
Calgary, Alberta
Culver City, CAMountain View, CA Austin, TX
Alexandria, VA
Reading, EnglandDublin, Ireland
Chengdu, ChinaTokyo, Japan
Sydney, AU
Chennai, India
Pune, India
Taipei, Taiwan
San Francisco, CA
• Attackers are increasingly targeting end users by compromising high-traffic, trusted websites.
• Attackers are moving their operations to regions with emerging Internet infrastructures and, in some instances, developing and maintaining their own service provisioning.
• Cross-functional industry cooperation in the security community is becoming imperative.
Internet Security Threat Report XIVOverarching Themes
Internet Security Threat Report XIVGrowth in New Threats
Data Breaches Identities Exposed
Internet Security Threat Report XIVData Breach Trends
Threat Agents
Malicious Insiders
Hackers and Cyber-Criminals
Well-meaning Insiders
• According to Ponemon Institute, the average cost of a lost or stolen laptop PC is more than $49000.
• In July 2006, a U.S. government-owned laptop with thousands of Florida driver’s license records was stolen from a vehicle in Florida while an official ate lunch inside a restaurant.
• Stolen or lost laptops are the most common type of data breach. Companies report the losses at a much higher rate than any other type of data breach. However, there’s a public misperception that these missing machines translate into identity theft. Most laptops are “fenced” for their hardware value, not for the confidential information
• Solution = Encryption + DLP + Asset Management + Regular Backups
Data Breach #1: Lost LaptopAn Avoidable Breach
Well meaning insiders
Data Breach #2Data Spillage
SETUP
– Security team detected data theft incident. Knew they were in trouble
– Crucial missing information: where did the hackers gain access to the data?
– Called Symantec to help them answer this question
WHAT WE DID
– Symantec found the original target of the hacker’s efforts
– A software development team had copies of employee data
RESULT
– Internal data spill event was identified and addressed
– Symantec instrumental in the cleanup
Insiders and HackersInsiders and Hackers vs.Cyber
Criminals vs.US GovernmentAgency
Well-meaningInsider
Understanding the Exposures
Social Media Security RisksSocial Media Security Risks
Four Epochs of IT
DataCenter
•Terminals
•PhysicalSecurity
DistributedNetworks
•Thick-Client
•Anti-Virus
Web-enabledNetworks
•Thin-Client
•GatewaySecurity
•Monitoring
“Social Media”Networks
•User-managed
•Data Loss Prevention
0 D/C 1980s 1990s 2000s
Social Media Security RisksOverview
• Dr. Mark Drapeau and Dr. Linton Wells at the National Defense University (NDU) define social media as social software, “applications that inherently connect people and information in spontaneous, interactive ways.”
• As of 2008, Facebook had 132 million users, and Myspace 117 million users [Reisinger, Don. “10 Ways IT Managers Can Deal with Social Media.” eWeek. July 17, 2009 <http://www.eweek.com/c/a/Security/10-Ways-IT-Managers-Can-Deal-with-Social- Media>]
• Metcalf’s Law: Total possible connections = N2
• Four Use Cases: – Inward Sharing – internal collaboration sites
– Outward Sharing – communication with external entities or sites
– Inbound Sharing – online polling or “crowdsharing”
– Outbound Sharing – participation in public social networking sites[Guidelines for Secure Use of Social Media by Federal Departments and Agencies – Sept 2009]
Social Media Security RisksExternal Exposure Risks
• Inappropriately externalizing confidential/sensitive information• Personal/Professional Separation• Account Hijacking• Privacy Issues and Identify Theft• Harassment and Cyber-bullying• Information Obsolescence• Information Harvesting• Evolving exposures from Location-aware Mobile Social Networks
(LAMSN)
Social Media Security RisksInternal Compromise Risks
• Malware and Targeted Malware
• Spearphishing– 2006 MySpace phishing attack compromised 34,000 usernames and
passwords
• Web Application Vulnerabilities– Open Web Application Security Project (OWASP) Top Ten
• XSS
• New attacks & expolits are emerging on a regular basis
Social Media Security RisksMalware example: Koobface• The Koobface worm and its associated botnet have gained notoriety in security
circles for its longevity and history of targeting social networking sites. First surfacing in 2008 within MySpace and Facebook, the worm resurfaced in early 2009, this time targeting Twitter users.
• By using Phishing techniques, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player.
• 11/10/2009 - As part of a new Koobface attack, links to Google Reader URLs controlled by cyber-criminals are being spammed by Koobface onto social network sites, including Facebook and MySpace. The hundreds of Google accounts involved host a page with a fake YouTube video. Attempts to view this supposed video expose Windows users to infection by Koobface.
• Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers.
• Anagram of FACEBOOK
Social Media Security RisksMitigation Strategies - Technical
• Shift to an information-centric protection paradigm, rather than a system-centric protection paradigm– Data Loss Prevention
– Data Classification & Labeling Guidelines
– Digital Rights Management
• Enhanced Endpoint Protection– Anti-malware
– Endpoint Firewall
– Intrusion Prevention
• Vulnerability and Patch Management
Social Media Security RisksMitigation Strategies – Non-Technical
• Update Policies to reflect the Appropriate Use of Social Networks
• Enhance Security Awareness Training
• Develop an enforceable process for information review and disclosure authorization
Data Loss Prevention Three Crucial Questions
DATA LOSS PREVENTION (DLP)PROTECTMONITORDISCOVER
How best toprevent its loss?
How is it being used?
Where is yourconfidential data?
Data Loss PreventionKey Functions
MANAGE
• Find data wherever it is stored
• Create inventory of sensitive data
• Manage data clean up
• Understand how data is being used
• Understand content and context
• Gain enterprise-wide visibility
• Gain visibility into policy violations
• Proactively secure data
• Prevent confidential data loss
DISCOVER PROTECTMONITOR
• Define unified policy across enterprise
• Detect content accurately
• Remediate and report on incidents
MANAGE
MANAGE
DISCOVER
• Enable or customize policy templates
• Remediate and report on risk reduction
MONITOR
11
22 33
PROTECT
44
55
• Inspect data being sent
• Monitor network & endpoint events
• Block, remove or encrypt
• Quarantine or copy files
• Notify employee & manager
Data Loss PreventionHow it Works
DLP / CCS Integration –Key Use Cases & Benefits
Use Case Benefits
I. Content-Aware Technical Controls Assessment
• Discover & enumerate assets with sensitive information
• Prioritize compliance assessments based on type of information
• Ensure effective remediation of non-conformance through closed- or open-loop remediation
II. Integrated Compliance Dashboards
• Gain full view of compliance posture, through integrated reporting of technical, procedural, and data controls
I. Content-Aware Technical Controls Discovery
Servers with PCI data
Inspect Content and Record
Incidents
Scan and Retrieve Data11
22
33 Send incident and asset info
Key Benefits:• Align technical controls and risk policies with the content living on assets
• Risk reduction and compliance that addresses the most sensitive information
44 Scans assets to assess server compliance
II. Integrated Compliance Reporting
11
22
33
Send incident and asset info
44
Map incidents to regulations & policies
Measure and report on compliance to regulatory
requirements
Consolidate info on both DLP policy violations
and compliance data in dashboard views
Technology Benefits vs. Privacy Consequences
• Electronic Medical Records– Effective treatment (+)
– Embarrassment (-)
– Discrimination (-)
• Electronic Voting– Accuracy and accountability (no hanging chads) (+)
– Discrimination or Recrimination (-)
• Personally Identifiable Information & Identity Theft– Not a long-term issue
– Significantly reduced by removing the profit motive
– Eliminated by Identity “Chains of Trust” & “Indelible Identities”
Final thoughts
• “Security” is essential to facilitate and preserve “privacy”
• There are numerous ethical issues that must be addressed as we continue to evolve our information society. Some that transcend technology and some that are manifest as a result of technology
http://trendsmap.com/
George Orwell
1984
“But it was all right, everything was all right, the struggle was finished. He had won the victory over himself. He loved Big Brother.”
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
James R. Elste, CISSP, CISM, CGEIT