Privacy and Encryption in eGovernment Dewey Landrum Technical Architect – CSO SLED West Sector...
-
Upload
margaret-payne -
Category
Documents
-
view
224 -
download
0
Transcript of Privacy and Encryption in eGovernment Dewey Landrum Technical Architect – CSO SLED West Sector...
Privacy and Encryption Privacy and Encryption in eGovernmentin eGovernment
Dewey Landrum
Technical Architect – CSO SLED West Sector
CISSP
August 11, 2008
2© 2007 BearingPoint, Inc.
Privacy Regulations
Health Insurance Portability and Accountability Act (HIPPA)
Gramm-Leach-Bliley Act (GLBA)
Texas Administrative Code
TAC, Title 1, Part 10, Chapter 202
Texas Public Information Act
Part III, Chapter 252
Right to Access
Special Right to Access
SubChapter C - Information Excepted
Most Useful Source
3© 2007 BearingPoint, Inc.
Privacy Act and Portals
4© 2007 BearingPoint, Inc.
Examples of Private Information
Personal Information
Litigation & Negotiations
Competition or Bidding Information
Location or Price of Property
Records that would interfere with prosecution
Student Records
Birth (75 years) & Death (25 years) Records
Audit Working Papers
Addresses, Telephone Numbers, Social Security Numbers, & Personal Family Information of state employees & peace officers
Photographs of law enforcement & security guards
5© 2007 BearingPoint, Inc.
Examples Continued
Certain email addresses
Crime Victim Information
Family Violence & Shelter work information
Information related to Computer Security Issues
Military Discharge Records (DD-214 – 75 years)
Many others not listed
6© 2007 BearingPoint, Inc.
The Confusion of Encryption
Encryption can be a very confusing topic
Various algorithms
─ DES, Triple DES, AES, BLOWFISH, etc.
Asymmetrical versus Symmetrical
Asymmetrical – usually two keys
─ One for everyone to encrypt to (public key)
─ One for just you to decrypt by (private key)
Symmetrical
─ One key used to decrypt and encrypt by
Different opinions on what and when to encrypt
Encrypt everything
Encrypt just what you need
Plus – it’s based on advanced math!
7© 2007 BearingPoint, Inc.
A Cornucopia of Standards
NIST SP 800-21 Guidelines for Implementing Cryptography in Federal Government
NIST SP 800-38C Block Cypher Modes of Operation: Authentication & Confidentiality
FIPS 180-2 Secure Hash Standards
FIPS 186-2 Digital Signature Standards
FIPS 192 Advanced Encryption Standard (AES)
Many other government based standards
FISMA
PCI
HIPPA
GLBA
8© 2007 BearingPoint, Inc.
Why Encrypt?
Encryption is used to keep sensitive information private
Military and Governments have used various forms of encryption for centuries
Only recently widely used by businesses and civilians
Encryption can be used to encrypt information in the following ways:
While information is being moved from one place to another (in transit)
While information is being processed
While information is being stored
9© 2007 BearingPoint, Inc.
What are all these algorithms?
DES, Triple DES, AES, etc.
As computing power becomes greater, various encryption standards become effectively weaker
DES was once so strong, the government asked that it be weakened so it could be broken if necessary
Triple DES is just DES run through the encryption/decryption process three times
AES (Advanced Encryption Standard) is the latest government standard
These are basically the mathematical formulas for encrypting and decrypting data
10© 2007 BearingPoint, Inc.
Asymmetrical Keys
A fancy word that basically means:
“I have two keys that aren’t the same. One key for encryption, one key for decryption.”
Asymmetrical – two keys that aren’t the same
Used so that many people can send information to one source without the senders being able to decrypt the information
• They must have their own key if they are going to receive encrypted information.
• Must deal with the problem of having to have the public key for everyone receiving information. Biggest issue is key distribution.
• Takes more processing power because you may be encrypting to many keys at once.
11© 2007 BearingPoint, Inc.
Symmetrical Keys
A fancy word that basically means:
“I have one key to encrypt and decrypt by.”
Symmetrical – one key used for encryption and decryption
Typically used for small groups of people or for applications accessing the same data
Faster than Asymmetrical because there’s only one key
Everyone that is going to encrypt or decrypt must have the same key
• How do you prevent the key from being distributed to unauthorized people?
• How do you know the key isn’t being accessed by someone not authorized to access it?
• What if the key gets corrupt or compromised?
• How do I change the keys?
12© 2007 BearingPoint, Inc.
Differing Opinions on Encryption
There are two basic views on encrypting network traffic:
Encrypt everything from the client browser connection to the database
Encrypt only what needs to be encrypted until you get to a trusted environment
13© 2007 BearingPoint, Inc.
Encrypt Everything
Encrypt everything from the client browser connection to the database, including network traffic
Use SSL (Secure Socket Layer) to encrypt the connection to the web server so it can’t be intercepted over the Internet
Encrypt internal traffic (SSL or IPSEC) so it can’t be intercepted by either staff members or rogue users
Encrypt it in the database so if someone breaks in and steals the data, it is still encrypted
14© 2007 BearingPoint, Inc.
Problems with Encrypt Everything
There are various issues with SSL browser compatibility Older browsers may not support 128 bit encryption
Export laws – if you only support 128 bit encryption, you may not be able to support world wide commerce
Encrypting internal traffic blocks the ability to monitor attacks Most Intrusion Prevention/Detection Systems don’t support decryption of
traffic for inspection - they are blind to encrypted attacks
Many of the better hacking tools now support SSL as an option - hackers chose this option to hide their attacks from Intrusion Prevention/ Detection systems
Host-based IPS can decrypt traffic for inspection, but is much more expensive to put on every host than deployment of a network-based sensor
Database encryption works only if they are outside of the application and do not have access to the keys
It’s much more expensive – disks, network bandwidth, processing time, etc.
15© 2007 BearingPoint, Inc.
Encrypt Only What You Need To
Encrypt only what is required to protect data
Use SSL (Secure Socket Layer) to encrypt the connection to the web server so it can’t be intercepted over the Internet and only when you are passing sensitive information
Encrypt internal traffic only when it is very sensitive information and you are in a mixed network environment
─ If you don’t trust your data center or internal staff, maybe you need new staff
Encrypt only the columns in the database that contain sensitive information
16© 2007 BearingPoint, Inc.
Problems with Encrypt What You Need To
SSL is still vulnerable to “Man-in-the Middle” attacks
Various versions of SSL have vulnerabilities like any other piece of software - must keep it updated
Must force connections to redirect to encryption
Web servers are frequently breached, which gives a “beach head” for sniffing internal traffic that is not encrypted
Staff members steal more data than hackers - encrypted internal traffic helps stop this
Database encryption can occur within the application or at the database To only encrypt certain columns is more expensive (more code)
How do you know what to encrypt?
What about aggregated information?
Do you trust your DBA’s more than System Administrators?
17© 2007 BearingPoint, Inc.
Encryption Won’t Always Help
Many attacks are now conducted through the application
The application must have access to the data
Most attacks are successful because of improper input validation (they don’t properly check what the user is putting in the form)
Many attacks are successful because unnecessary services were running or certain services were not properly patched or configured
Allowing administrative services to be accessible from the Internet is also a common cause for breaches
18© 2007 BearingPoint, Inc.
Example – Rhode Island
The information was encrypted in the database and SSL was used for connections
Improper input validation let the hacker display files containing server user names and hashed passwords
─ Many tools are available to “unhash” the passwords
─ This type of issue is usually either a patch or configuration issue.
─ Most IPS systems will detect this type of attack if they can read the traffic.
An unprotected (outside of VPN access) SSH (Secure Shell) service was available from the Internet - the hacker just logged in with an account and password
The hacker spooled information from the database to a file
─ He was outside of the application, so the data was strongly encrypted
─ He had access to the keys, so he downloaded them
─ Since encryption methods are standard, he downloaded an encryption kit for the type of encryption used and decrypted the data
─ Proper monitoring would have caught access to the keys
19© 2007 BearingPoint, Inc.
How do you protect your information?
A good foundation of policies and procedures
Follow established standards
─ FISMA
─ PCI
─ GBLA
DO NOT make up your own encryption standard
Perform proper monitoring
Encrypt what is necessary
Perform audits to ensure processes work and are being followed
Perform testing
Have a third-party evaluate your program