Privacy and Encryption in eGovernment Dewey Landrum Technical Architect – CSO SLED West Sector...

Privacy and Encryption Privacy and Encryption in eGovernmentin eGovernment

Dewey Landrum

Technical Architect – CSO SLED West Sector

CISSP

August 11, 2008

2© 2007 BearingPoint, Inc.

Privacy Regulations

Health Insurance Portability and Accountability Act (HIPPA)

Gramm-Leach-Bliley Act (GLBA)

Texas Administrative Code

TAC, Title 1, Part 10, Chapter 202

Texas Public Information Act

Part III, Chapter 252

Right to Access

Special Right to Access

SubChapter C - Information Excepted

Most Useful Source


Privacy Act and Portals


Examples of Private Information

Personal Information

Litigation & Negotiations

Competition or Bidding Information

Location or Price of Property

Records that would interfere with prosecution

Student Records

Birth (75 years) & Death (25 years) Records

Audit Working Papers

Addresses, Telephone Numbers, Social Security Numbers, & Personal Family Information of state employees & peace officers

Photographs of law enforcement & security guards


Examples Continued

Certain email addresses

Crime Victim Information

Family Violence & Shelter work information

Information related to Computer Security Issues

Military Discharge Records (DD-214 – 75 years)

Many others not listed


The Confusion of Encryption

Encryption can be a very confusing topic

Various algorithms

─ DES, Triple DES, AES, BLOWFISH, etc.

Asymmetrical versus Symmetrical

Asymmetrical – usually two keys

─ One for everyone to encrypt to (public key)

─ One for just you to decrypt by (private key)

Symmetrical

─ One key used to decrypt and encrypt by

Different opinions on what and when to encrypt

Encrypt everything

Encrypt just what you need

Plus – it’s based on advanced math!


A Cornucopia of Standards

NIST SP 800-21 Guidelines for Implementing Cryptography in Federal Government

NIST SP 800-38C Block Cypher Modes of Operation: Authentication & Confidentiality

FIPS 180-2 Secure Hash Standards

FIPS 186-2 Digital Signature Standards

FIPS 192 Advanced Encryption Standard (AES)

Many other government based standards

FISMA

PCI

HIPPA

GLBA


Why Encrypt?

Encryption is used to keep sensitive information private

Military and Governments have used various forms of encryption for centuries

Only recently widely used by businesses and civilians

Encryption can be used to encrypt information in the following ways:

While information is being moved from one place to another (in transit)

While information is being processed

While information is being stored


What are all these algorithms?

DES, Triple DES, AES, etc.

As computing power becomes greater, various encryption standards become effectively weaker

DES was once so strong, the government asked that it be weakened so it could be broken if necessary

Triple DES is just DES run through the encryption/decryption process three times

AES (Advanced Encryption Standard) is the latest government standard

These are basically the mathematical formulas for encrypting and decrypting data


Asymmetrical Keys

A fancy word that basically means:

“I have two keys that aren’t the same. One key for encryption, one key for decryption.”

Asymmetrical – two keys that aren’t the same

Used so that many people can send information to one source without the senders being able to decrypt the information

• They must have their own key if they are going to receive encrypted information.

• Must deal with the problem of having to have the public key for everyone receiving information. Biggest issue is key distribution.

• Takes more processing power because you may be encrypting to many keys at once.


Symmetrical Keys

A fancy word that basically means:

“I have one key to encrypt and decrypt by.”

Symmetrical – one key used for encryption and decryption

Typically used for small groups of people or for applications accessing the same data

Faster than Asymmetrical because there’s only one key

Everyone that is going to encrypt or decrypt must have the same key

• How do you prevent the key from being distributed to unauthorized people?

• How do you know the key isn’t being accessed by someone not authorized to access it?

• What if the key gets corrupt or compromised?

• How do I change the keys?


Differing Opinions on Encryption

There are two basic views on encrypting network traffic:

Encrypt everything from the client browser connection to the database

Encrypt only what needs to be encrypted until you get to a trusted environment


Encrypt Everything

Encrypt everything from the client browser connection to the database, including network traffic

Use SSL (Secure Socket Layer) to encrypt the connection to the web server so it can’t be intercepted over the Internet

Encrypt internal traffic (SSL or IPSEC) so it can’t be intercepted by either staff members or rogue users

Encrypt it in the database so if someone breaks in and steals the data, it is still encrypted


Problems with Encrypt Everything

There are various issues with SSL browser compatibility Older browsers may not support 128 bit encryption

Export laws – if you only support 128 bit encryption, you may not be able to support world wide commerce

Encrypting internal traffic blocks the ability to monitor attacks Most Intrusion Prevention/Detection Systems don’t support decryption of

traffic for inspection - they are blind to encrypted attacks

Many of the better hacking tools now support SSL as an option - hackers chose this option to hide their attacks from Intrusion Prevention/ Detection systems

Host-based IPS can decrypt traffic for inspection, but is much more expensive to put on every host than deployment of a network-based sensor

Database encryption works only if they are outside of the application and do not have access to the keys

It’s much more expensive – disks, network bandwidth, processing time, etc.


Encrypt Only What You Need To

Encrypt only what is required to protect data

Use SSL (Secure Socket Layer) to encrypt the connection to the web server so it can’t be intercepted over the Internet and only when you are passing sensitive information

Encrypt internal traffic only when it is very sensitive information and you are in a mixed network environment

─ If you don’t trust your data center or internal staff, maybe you need new staff

Encrypt only the columns in the database that contain sensitive information


Problems with Encrypt What You Need To

SSL is still vulnerable to “Man-in-the Middle” attacks

Various versions of SSL have vulnerabilities like any other piece of software - must keep it updated

Must force connections to redirect to encryption

Web servers are frequently breached, which gives a “beach head” for sniffing internal traffic that is not encrypted

Staff members steal more data than hackers - encrypted internal traffic helps stop this

Database encryption can occur within the application or at the database To only encrypt certain columns is more expensive (more code)

How do you know what to encrypt?

What about aggregated information?

Do you trust your DBA’s more than System Administrators?


Encryption Won’t Always Help

Many attacks are now conducted through the application

The application must have access to the data

Most attacks are successful because of improper input validation (they don’t properly check what the user is putting in the form)

Many attacks are successful because unnecessary services were running or certain services were not properly patched or configured

Allowing administrative services to be accessible from the Internet is also a common cause for breaches


Example – Rhode Island

The information was encrypted in the database and SSL was used for connections

Improper input validation let the hacker display files containing server user names and hashed passwords

─ Many tools are available to “unhash” the passwords

─ This type of issue is usually either a patch or configuration issue.

─ Most IPS systems will detect this type of attack if they can read the traffic.

An unprotected (outside of VPN access) SSH (Secure Shell) service was available from the Internet - the hacker just logged in with an account and password

The hacker spooled information from the database to a file

─ He was outside of the application, so the data was strongly encrypted

─ He had access to the keys, so he downloaded them

─ Since encryption methods are standard, he downloaded an encryption kit for the type of encryption used and decrypted the data

─ Proper monitoring would have caught access to the keys


How do you protect your information?

A good foundation of policies and procedures

Follow established standards

─ FISMA

─ PCI

─ GBLA

DO NOT make up your own encryption standard

Perform proper monitoring

Encrypt what is necessary

Perform audits to ensure processes work and are being followed

Perform testing

Have a third-party evaluate your program

Privacy and Encryption in eGovernment Dewey Landrum Technical Architect – CSO SLED West Sector...

Documents

Transcript of Privacy and Encryption in eGovernment Dewey Landrum Technical Architect – CSO SLED West Sector...