Transcript cabit.hivelive.com

Moving Towards Privacy-aware Security
James R. Elste, CISSP, CISM, CGEIT
Security Strategist
Privacy by Design Research Lab, March 23, 2010
Credentials
EDUCATION
• BS in Business Administration, University of Texas at Dallas
• MS in Information Assurance, Norwich University (NSA Center of Academic Excellence)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified in the Governance of Enterprise Information Technology (CGEIT)
EXPERIENCE
• 20+ years of professional IT experience, 10+ years of specialization in Information Security
• Former Director, IS Security & Internal Controls, International Game Technology
• Former Chief Information Security Officer, State of Nevada
• Former Chief Security Officer, Commonwealth of Massachusetts, Health & Human Services
• Information Security Consulting Background
– I.B.M., Security & Privacy Services
– Ernst & Young, LLP, Information Security Services
– Independent Security Consultant
Risk = Uncertainty that Matters
Elste’s Security Syllogism
Information has value
We protect things of value
Therefore:
We must protect information
Elste’s Proof
Security vs. Privacy
PRIVACY
WHAT (WHY) information needs to be
protected
SECURITY
HOW to protect information
Bill Boni
CISO, Motorola
Data Breaches
The Changing Threat Landscape
Global Intelligence Network
Identifies more threats, takes action faster & minimizes impact
Calgary, Alberta
San Francisco, CA
Mountain View, CA
Culver City, CA
Dublin, Ireland
Reading, England
Tokyo, Japan
Alexandria, VA
Chengdu, China
Austin, TX
Taipei, Taiwan
Chennai, India
Pune, India
Sydney, AU
Worldwide Coverage
Global Scope and Scale
24x7 Event Logging
Rapid Detection
Attack Activity
Malware Intelligence
Vulnerabilities
Spam/Phishing
• 240,000 sensors
• 200+ countries
• 130M client, server,
gateways monitored
• Global coverage
• 32,000+ vulnerabilities
• 11,000 vendors
• 72,000 technologies
• 2.5M decoy accounts
• 8B+ email messages/day
• 1B+ web requests/day
Preemptive Security Alerts
Information Protection
Threat Triggered Actions
Internet Security Threat Report XIV
Overarching Themes
• Attackers are increasingly targeting end users by
compromising high-traffic, trusted websites.
• Attackers are moving their operations to regions with
emerging Internet infrastructures and, in some
instances, developing and maintaining their own
service provisioning.
• Cross-functional industry cooperation in the security
community is becoming imperative.
Internet Security Threat Report XIV
Growth in New Threats
# of New Threats
1,656,227
1,800,000
1,600,000
1,400,000
1,200,000
1,000,000
624,267
800,000
600,000
113,025 140,690
400,000
200,000
20,547
18,827
69,107
2002
2003
2004
0
2005
2006
2007
2008
Internet Security Threat Report XIV
Data Breach Trends
Data Breaches
Identities Exposed
Threat Agents
Well-meaning Insiders
Malicious Insiders
Hackers and Cyber-Criminals
Data Breach #1: Lost Laptop
An Avoidable Breach
Well meaning insiders
• According to Ponemon Institute, the average cost of a lost or stolen laptop PC is
more than $49000.
• In July 2006, a U.S. government-owned laptop with thousands of Florida driver’s
license records was stolen from a vehicle in Florida while an official ate lunch inside
a restaurant.
• Stolen or lost laptops are the most common type of data breach. Companies report
the losses at a much higher rate than any other type of data breach. However,
there’s a public misperception that these missing machines translate into identity
theft. Most laptops are “fenced” for their hardware value, not for the confidential
information
• Solution = Encryption + DLP + Asset Management + Regular Backups
Data Breach #2
Data Spillage
Well-meaning Cyber
and Hackers
InsiderInsiders Criminals
vs.
US Government
Agency
vs.
SETUP
– Security team detected data theft incident. Knew they were in trouble
– Crucial missing information: where did the hackers gain access to the data?
– Called Symantec to help them answer this question
WHAT WE DID
– Symantec found the original target of the hacker’s efforts
– A software development team had copies of employee data
RESULT
– Internal data spill event was identified and addressed
– Symantec instrumental in the cleanup
Social Media Security Risks
Understanding the Exposures
Four Epochs of IT
Data
Center
Distributed
Networks
Web-enabled
Networks
“Social Media”
Networks
•Terminals
•Thick-Client
•Thin-Client
•User-managed
•Physical
Security
•Anti-Virus
•Gateway
Security
•Data Loss
Prevention
•Monitoring
0 D/C
1980s
1990s
2000s
Social Media Security Risks
Overview
• Dr. Mark Drapeau and Dr. Linton Wells at the National Defense University
(NDU) define social media as social software, “applications that inherently
connect people and information in spontaneous, interactive ways.”
• As of 2008, Facebook had 132 million users, and Myspace 117 million users
[Reisinger, Don. “10 Ways IT Managers Can Deal with Social Media.” eWeek. July 17, 2009
<http://www.eweek.com/c/a/Security/10-Ways-IT-Managers-Can-Deal-with-Social- Media>]
• Metcalf’s Law: Total possible connections = N2
• Four Use Cases:
– Inward Sharing – internal collaboration sites
– Outward Sharing – communication with external entities or sites
– Inbound Sharing – online polling or “crowdsharing”
– Outbound Sharing – participation in public social networking sites
[Guidelines for Secure Use of Social Media by Federal Departments and Agencies – Sept 2009]
Social Media Security Risks
External Exposure Risks
• Inappropriately externalizing confidential/sensitive information
• Personal/Professional Separation
• Account Hijacking
• Privacy Issues and Identify Theft
• Harassment and Cyber-bullying
• Information Obsolescence
• Information Harvesting
• Evolving exposures from Location-aware Mobile Social
Networks (LAMSN)
Social Media Security Risks
Internal Compromise Risks
• Malware and Targeted Malware
• Spearphishing
– 2006 MySpace phishing attack compromised 34,000 usernames and
passwords
• Web Application Vulnerabilities
– Open Web Application Security Project (OWASP) Top Ten
• XSS
• New attacks & expolits are emerging on a regular basis
Social Media Security Risks
Malware example: Koobface
• The Koobface worm and its associated botnet have gained notoriety in security
circles for its longevity and history of targeting social networking sites. First
surfacing in 2008 within MySpace and Facebook, the worm resurfaced in early
2009, this time targeting Twitter users.
• By using Phishing techniques, the message directs the recipients to a third-party
website, where they are prompted to download what is purported to be an
update of the Adobe Flash player.
• 11/10/2009 - As part of a new Koobface attack, links to Google Reader URLs
controlled by cyber-criminals are being spammed by Koobface onto social
network sites, including Facebook and MySpace. The hundreds of Google
accounts involved host a page with a fake YouTube video. Attempts to view this
supposed video expose Windows users to infection by Koobface.
• Koobface ultimately attempts, upon successful infection, to gather sensitive
information from the victims such as credit card numbers.
• Anagram of FACEBOOK
Social Media Security Risks
Mitigation Strategies - Technical
• Shift to an information-centric protection paradigm, rather than
a system-centric protection paradigm
– Data Loss Prevention
– Data Classification & Labeling Guidelines
– Digital Rights Management
• Enhanced Endpoint Protection
– Anti-malware
– Endpoint Firewall
– Intrusion Prevention
• Vulnerability and Patch Management
Social Media Security Risks
Mitigation Strategies – Non-Technical
• Update Policies to reflect the Appropriate Use of Social
Networks
• Enhance Security Awareness Training
• Develop an enforceable process for information review and
disclosure authorization
Data Loss Prevention
Three Crucial Questions
Where is your
confidential data?
DISCOVER
How is it
being used?
MONITOR
How best to
prevent its loss?
PROTECT
DATA LOSS PREVENTION (DLP)
Data Loss Prevention
Key Functions
DISCOVER
MONITOR
PROTECT
• Find data wherever it is
stored
• Understand how data is
being used
• Gain visibility into policy
violations
• Create inventory of
sensitive data
• Understand content
and context
• Proactively secure data
• Manage data clean up
• Gain enterprise-wide
visibility
• Prevent confidential
data loss
MANAGE
• Define unified policy
across enterprise
• Remediate and
report on incidents
• Detect content
accurately
Data Loss Prevention
How it Works
MONITOR
DISCOVER
2
PROTECT
3
4
• Identify scan targets
• Inspect data being sent
• Block, remove or encrypt
• Run scan to find sensitive
data on network & endpoint
• Monitor network & endpoint
events
• Quarantine or copy files
• Notify employee & manager
MANAGE
MANAGE
1
• Enable or customize
policy templates
5
• Remediate and report
on risk reduction
DLP / CCS Integration –
Key Use Cases & Benefits
Use Case
I.
Content-Aware Technical
Controls Assessment
Benefits
• Discover & enumerate assets with sensitive
information
• Prioritize compliance assessments based on type of
information
• Ensure effective remediation of non-conformance
through closed- or open-loop remediation
II.
Integrated Compliance
Dashboards
• Gain full view of compliance posture, through
integrated reporting of technical, procedural, and data
controls
I. Content-Aware Technical Controls Discovery
3
Send incident and asset info
4
2
Scans assets to assess
server compliance
Inspect Content
and Record
Incidents
1 Scan and Retrieve Data
Servers with
PCI data
Key Benefits:
• Align technical controls and risk policies with the content living on assets
• Risk reduction and compliance that addresses the most sensitive information
II. Integrated Compliance Reporting
1
Send incident and asset info
2
4
Consolidate info on both
DLP policy violations
and compliance data in
dashboard views
Map incidents to
regulations & policies
3
Measure and report on
compliance to regulatory
requirements
Technology Benefits vs. Privacy Consequences
• Electronic Medical Records
– Effective treatment (+)
– Embarrassment (-)
– Discrimination (-)
• Electronic Voting
– Accuracy and accountability (no hanging chads) (+)
– Discrimination or Recrimination (-)
• Personally Identifiable Information & Identity Theft
– Not a long-term issue
– Significantly reduced by removing the profit motive
– Eliminated by Identity “Chains of Trust” & “Indelible Identities”
Final thoughts
• “Security” is essential to facilitate and preserve “privacy”
• There are numerous ethical issues that must be addressed as
we continue to evolve our information society. Some that
transcend technology and some that are manifest as a result of
technology
http://trendsmap.com/
“But it was all right,
everything was all right,
the struggle was finished.
He had won the victory
over himself. He loved Big
Brother.”
George Orwell
1984
Thank you!
James R. Elste, CISSP, CISM, CGEIT
[email protected]
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.