Information Assurance Center Iowa State University 1 Data Security: Protecting data within an...
-
Upload
jonas-mccormick -
Category
Documents
-
view
214 -
download
0
Transcript of Information Assurance Center Iowa State University 1 Data Security: Protecting data within an...
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 11
Data Security:
Protecting data within an organization
Doug Jacobson
Information Assurance Center
www.iac.iastate.edu
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 22
Outline
• The past (slides from 1998 talk)• What are the threats• What is the state of the art in defense• New Threat model (they are inside)
– Data threats– Data protection
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 33
The Past
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 44
The Past
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 55
Today, is there still a problem?
• One recent report– 800 million records lost– 60% were from hacking
• Documented attacks against– Power grid, Banking, Transportation– (Just about every critical sector)
• Heartbleed, BASH, POODLE, Sandworm, Target/HomeDepot/DQ, SONY
• Does not include the attacks directed at people
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 66
What has changed in 15 years?
• More attackers• More possible devices (over 7 billion)• More motivations to attack ($, IP, war)• More reliance on technology• More potential victims (users on the net)• More news coverage• More DATA to steal
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 77
What are the threats?
• They are almost as many ways to classify threats as there are threats
• We want to look at:– Why is this a hard problem– What are the targets– What is our risk– Who is after us
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 88
Why is threat classification hard?
• There is no longer a solid perimeter– Wireless, mobile, computing everywhere
• Multiple vendors providing solutions• Security is not a selling point - First to market• Outsourcing• New technologies• Change in tactics• Time compression
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 99
What is our risk?
• We don’t know how important something is until we lose it.
• We don’t always know what is important to others (customers, attackers)
• We don’t know what we have and where it is
• New technology makes it hard to keep up
• New model: Assume attackers are in your network.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 1010
Who is after us?
• Script kiddies
• Hackers
• Professionals
• Nation states
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 1111
Goals vs. outcomes• Goals:
– Theft (money, data, etc.)– Cyber crime
• Aid in physical crime or just a cyber crime
– Terrorism• Aid in physical activity or cyber only
– Disruption
• Outcome of attack maybe the same independent of the goal.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 1212
How They do it:Attacks of opportunity
• Often carried out by script kiddies• Pick on vulnerable systems
– Not installing patches
• Misconfigured systems– Initial configuration problems– Reconfiguration problems
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 1313
How They do it: Advanced Persistent Threat
• Attackers will pick a target or targets and wait until you make a mistake.– Misconfiguration– Not patching a system
• Or they will target your employees with phishing emails– Get them to disclose passwords– Go to web sites to get malware– Send attachments with malware
• Zero day attacks
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 1414
(APT) Likely targets
• The Internet of things– Power, Water, transportation, etc.
• Where the money is– Banks, people, organizations (lower tech = target
• Intellectual property– Technology (ag sector, manufacturing, etc)
• Gain access
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 1515
How They do it: Types of insider threats
• Intentional – Think of the number of egress points and the number of protocols involved.
• Accidental – As applications become more integrated and seamless it becomes easier to send data (email, IM, P to P)
• Intentionally Accidental – As we have harden our defenses the attackers are using more social based attacks to get the users to leak information.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 1616
Careless Insider
• Attackers have shifted focus to the employees and home users– Phishing– Viruses– Spyware– Social Engineering
• Using Email, peer to peer, IM, web sites, software downloads
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 1717
Example (Target)
• Attackers had malware that reads memory and sends it to a drop site
• Unclear if they picked certain retailers or just looked for ones they could insert the malware
CC reader
memory
Encrypt &verify
To Targetmain office
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 1818
Example (Target)• Used weak security at HVAC company to get login
name and password to Target• Tested software Nov 15-28• Nov 30 pushed to most POS terminals
CC reader
memory
Encrypt &verify
TargetMain office
Malware
To dropsites
HVACAttackers
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 1919
Credit cards for sale
• Home Depo theft was over a longer period
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 2020
Example (SONY)• Still unclear on how they gained access. • Appears to be APT• Attackers raised the stakes in that this is one of
the first attacks that caused wide spread destruction of computing resources.– Well written and very complex malware
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 2121
Now lets talk about defense• First cyber security is an unfair war
– Defenders must be perfect– Attackers only need to get it right once.– Law enforcement often cannot tell if something
happened.
• Lets look at where we are at– Prevention (defense)– Detection– Attribution
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 2222
State of the art in defense
• Most organizations practice defense in depth
• However we are still often just reacting to events.
• Some times we don’t even know they are attacking
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 2323
State of the art in protection / prevention
We know how to build forts and protect ourselves from the outside
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 2424
Let’s talk about walls
• We build lots of technology based walls around everything.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 2525
Threats against the wall
ThreatsSW/HW
Faults
Config
Faults
Auth
FaultsSocial
Faults
Defect in the wall
Open door in the wall
Bad lock on the door
Getting key door key from user
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 2626
Threats to the people
• Phishing• Email attachments
– Trojans– Viruses
• Peer-to-Peer• Web Sites• Wireless• Social Networking
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 2727
Threats adapt
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 2828
Detection
• Hard to know when are being attacked– Often we know because of some other
data (bank statement, audit, etc.)
• Finding an attack in all of the data• Users and organizations need to play a
role.• Very little information sharing to know if
there is a pattern across organizations
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 2929
Attribution
• Very hard problem• Device attribution vs. people attribution
– Easier to identify a device than the person– Often attacks come from place where information is
hard to get
• Many technologies allow users to hide• Need forensics
– Network– Computer
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 3030
The future
• Internet of things– More devices than people connected to the Internet
• Highly focused attacks– People– Infrastructure
• New risk model– Assume they are inside already
• True cyber physical attack
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 3131
New threat model
• This is a complex system problem– We need to assume they are or will be inside
our systems
• They want our data– Sell it– Use it– Destroy it – Use it against us
• We need to Protect it
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 3232
No easy solution
• There is no longer a solid perimeter– Wireless, mobile, computing everywhere
• Multiple vendors providing solutions
• Home grown solutions
• Adaptive attacks
• Data leakage
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 3333
Lets talk about data• Can you answer these questions:
– How much data you have?– Where the data lives?– How many copies there are?– Who has the copies– Do they know they have a copy?– Do they know how to protect it?– Do you have a plan?
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 3434
What is data?• Data acts like water
– Just like the earth is mostly water most of your organization is based on data.
– Water is everywhere and so is your data– Data, like water is hard to hold on to once it leaves its
container.– Like water everyone wants data.– Like water many people are willing to share data when
asked?
• One big difference, data can be copied
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 3535
• Terabyte 1,099,511,627,776 bytes• Page size 3000 bytes• Pages 366,503,875• Ream 500 pages• Reams 733,007 Reams• Ream height 2”• Total height 1,466,014” = 122,168’ or 23
miles• Olympus Mons 78,740’
Computer Information Volume
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 3636
Data Leakage• Focus has been on identity theft and while that is an
important issue, organizations should not forget the importance of their other data.
• Increasing number of protocols• Increasing number of attackers• Increasing number of user driven applications• Increasing amount of data• Increasing government intervention• Increasing number of attacks against insiders
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 3737
Data Loss Prevention• Where is your located?
– Centralized, distributed, both
• Who has access to your data?– Read, write, delete
• Who controls your data?– Owners, users, anyone
• Do you manage– Data at rest?– Data in motion?– Data in devices?
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 3838
Data at Rest
• Your data is stored somewhere (everywhere)– How many ways can data at rest be
copied, moved, or examined– How do you find your data at rest
• Discovery
– How do you keep your data at rest safe• Encryption, device locking
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 3939
Data In Motion
• Used to keep private information from leaving– SS Numbers, Account Numbers, Records
• Will either log, stop, or encrypt violating content
• What is leaving your organization– Protocols– User installed applications– Confidential data
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 4040
Data In Devices
• Do people carry the data with them?– Phones– Laptops– Tablets– What ever the new technology is
• Do people remotely access data from their mobile device?
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 4141
The five Cs of data protection
• Classification
• Compartmentalization
• Cryptography
• Contingency planning
• Coaching
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 4242
1. Data Classification
• Develop a taxonomy for the different data types (industry specific)
• Decide what levels of protection are needed for each data classification
• Find the data in your organization– Move, destroy, protect.
• Develop a plan to keep looking for the data
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 4343
Data Classification
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 4444
Data Classification
• Develop levels– Restricted– High– Moderate– Low
• Decide what data fits into what level
• When you are not sure you can use the FIPS 199 standard
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 4545
Federal Information Processing Standards (“FIPS”) publication 199 Security Objective LIMITED IMPACT SERIOUS IMPACT SEVERE IMPACT
ConfidentialityPreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
IntegrityGuarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
AvailabilityEnsuring timely and reliable access to and use of information.
The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 4646
ExampleRestricted High Moderate Low
Social Security Numbers
Credit Card Numbers
Financial Account Numbers, such as checking or investment account numbers
Driver's License Numbers
Health Insurance Policy ID Numbers
Health Information, including Protected Health Information (PHI)
Passport and visa numbers
Export controlled information under U.S. laws
Authentication credentials or identity verification information
Confidential employee Records
ID numbers
Student class schedules
ID Card Photographs
Disciplinary files
Research data (electronic and physical)
Employment applications, personnel files, benefits information, and birth date
Privileged attorney-client communications
Directory Information
Approved Census Facts
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 4747
Finding your data
• Remember data is like water, it is hard to find the leak.
• Automated software can help find data – Agent based– Host/server based– Stand alone
• Maybe hold a spring cleaning day– Shred paper, remove files, know what you have
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 4848
2. Compartmentalization
• Assume the attacker is acting as an insider
• You need to control who has access to what data. – Network based– Host/server based– Data source based
• The role of authentication
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 4949
Network based
• Typically uses technology to enforce internal compartmentalization– Internal FW, VLANs, VPN
• Monitor internal network access
• Worry about wireless
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 5050
Host/server based
• Know what data is stored on which host– Agent software
• Control access to sever shares– Authentication based– Limit access to only people that need to know– Beware of host to host authentication
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 5151
Data source based
• Control access to data sources– Databases, files, etc.– Authenticated based access– Role based access
• Use network based compartmentalization to help restrict access to data sources
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 5252
Authentication control
• Network based– VPN (typically external to internal).
• Host/server based– Network shares – user login. – Look at login based mounting and should all
shares be mounted.
• Data source based– Not everyone should have access to all data– Who has access to what in the data base
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 5353
Authentication
• Handling authentication is key to maintaining solid walls.
• Authentication is the process of connecting the identity of a real person (or device) to its digital identity.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 5454
Authentication
• Authentication is based on one or more factors– What you know (password, secret information)– What you have (badge, smart card, debit card)– What you are (fingerprint, retinal scan, voice)– Where you are (in front of a computer, GPS)
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 5555
Password Security
• Q: Is there a difference between a strong password and a secret password?
A strong password is one that can not be guessed
A secret password is one that is only known by the password owner
(strength) (secrecy)
vs.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 5656
Password Threats• Enumerated are threat sources that reveal passwords to attackers
Internet
Our Computer
Legitimate Website
Malicious Website
User
1) User discloses password2) Social engineering
3) Malware (software keylogger)4) Hardware keylogger
5) Sniffing
6) Phishing Website
7) Password file exposed8) Attacker guesses password9) Security question
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 5757
Multi factor authentication
• Requires the user to provide more than one method of authentication
– Password + authorized computer
– Password + text message
– Password + finger print
• Attacker needs to have access to something physical and the secret.
– Makes it very hard to compromise the account.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 5858
3. Cryptography
• Whole Disk
• Mobile device
• File based
• Data egress
• Data in motion
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 5959
Whole Disk Encryption
• A must for laptops that leave the organization
• Issues– Key escrow– Over seas travel
• What is fixes– Lost or stolen device
• What is does not fix– User drive data loss
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 6060
Mobile device Cryptography
• Harder problem
• Newer devices are starting to support this
• Same issues as laptops
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 6161
File-based Cryptography
• Not as common
• Typical with data files on servers– SS #– Credit Cards, etc
• Effective against attacker stealing the file
• Not effective with Malware, or embedded keys
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 6262
Egress Cryptography
• When data leaves it can be encrypted
• Might be needed based on government regulations
• Often it is better to use a secure web based portal
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 6363
Data in motion Cryptography
• Typically used when data leaves the organization– Secure web– VPN
• Sometimes is used between front end server and backend database.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 6464
4. Contingency planning
• Assume you will lose data
• Know what you are going to do ahead of time– Dealing with the customers– Dealing with the public
• How do you know what you lost– Auditing, Logging, forensics
• How are you going to recover– Destroyed data (SONY)
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 6565
5. Coaching
• Everyone needs to understand– Data is important– What does it mean to be a good data steward – What role they have in security
• Do NOT make it a penalty for having data as you adopt new data protection models.
• Security literacy
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 6666
User Education:How should we do it?
• By teaching Computer Security Literacy in terms the average user will understand– If abstracted correctly (using analogies, metaphors,
and common language) practical computer security is accessible to ALL
• By relating computer security to everyday activities
• By helping users understand they have a role in their own safety
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 6767
Literacy: going beyond awareness
• Top 10 lists and posters are not effective in providing the readers with the tools needed to take an active role in their security– These methods can raise awareness that there
is problem, but we need to go beyond awareness.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 6868
Key Points
• Know what data is private and what data is not and let the owners know which is which
• Know where your data is located and where it goes
• Protect what is private from both insiders and outsiders
• Know that the attackers are adapting to your defenses.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 6969
Parting comments
• Work to make security part of the culture
• Put security in context of everyday life
• You have role in building bridges and helping make security part of the conversation
• Assume you are a target
• Be prepared.
Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 7070
Questions