Protecting the value of Information Assets

Information SecurityRaman Kannan

rk2153@nyu.eduAdjunct, MoT and CSTandon School of Engineering, NYU

Security is “the quality or state of being secure—to be free from danger.”

Securing Assets is existential

And there is a contention between security and utility.

http://web.stanford.edu/class/cs259d

Many forms of Security

http://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdf

Our Focus: Information Security

● Background

● Definitions

● Status Quo,recent incidents

● Mitigation Strategies

Information Security (InfoSec): “practiceof defending information fromunauthorized access, use, disclosure,disruption, modification, perusal,inspection, recording, or destruction”.

Data

We are a data driven species.Companies we run and use, all depend on data.Without appropriate management of data, Our ATMs , cell phones, television, facebook,nothing will work. The internet connects billions of devices – crossed 5B in 2010.

Democratic Elections are won on data– Barack Obama – Redistricting congressional districts

It is a double edge sword – it can be misused– 2016 Presidential electionsOwnership and protecting what we own is critical

https://www.us-cert.gov/sites/default/files/publications/infosecuritybasics.pdf

Trade-OffConvenience and easy access to information come with risks. Among them are the risks that valuable information will be lost, stolen, changed, or misused.

Three basic security concepts important to information are confidentiality, integrity, and availability.

Concepts relating to the people who use that information are authentication, authorization, and nonrepudiation.

Terminology: CIA

When information is read or copied by someone not authorized to do so, the result is known as loss of

Confidentiality.

Information can be corrupted and when information is modified in unexpected ways, the result is known as

loss of Integrity.

Information can be erased or become inaccessible,

resulting in loss of Availability.

When users cannot access the network or specific services provided

on the network, they experience a denial of service.

Terminology:Authentication, Authorization

Authentication is proving that a user is the person he or she claims to be.

Authorization is the act of determining whether a particular user (or computer system) has the right to carry out a certain activity, such as reading a file or running a program.

Authentication and authorization go hand in hand. Users must be authenticated before carrying out the activity they are authorized to perform.

Security is strong when the means of authentication cannot later be refuted—the user cannot later deny that he or she performed the activity. This is known as non-repudiation.

Risk

RiskThe term "risk" refers to the likelihood of being targeted by a given attack, of an attack being successful, and general exposure to a given threat. A risk assessment is performed to determine the most important potential security breaches to address now, rather than later. One enumerates the most critical and most likely dangers, and evaluates their levels of risk relative to each other as a function of the interaction between the cost of a breach and the probability of that breach.Analyzing risk can help one determine appropriate security budgeting — for both time and money — and prioritize security policy implementations so that the most immediate challenges can be resolved the most quickly.

Threat

The term "threat" refers to the source and means of a particular type of attack. A threat assessment is performed to determine the best approaches to securing a system against a particular threat, or class of threat. Penetration testing exercises are substantially focused on assessing threat profiles, to help one develop effective countermeasures against the types of attacks represented by a given threat. Where risk assessments focus more on analyzing the potential and tendency of one's resources to fall prey to various attacks, threat assessments focus more on analyzing the attacker's resources.Analyzing threats can help one develop specific security policies to implement in line with policy priorities and understand the specific implementation needs for securing

one's resources.

Basic types of threatsHuman Error, Computer Crime, Natural Disasters

Experiencing MIS: Information System Security Chap 10

Forms of unauthorized data disclosure

Experiencing MIS: Information System Security Chap 10

Pretexting: occurs when someone deceives by pretending to be someone elsePhone call scammers claim to call from IRS, FBI, CreditCard company

Phishing: unauthorized access – like pretexting but uses emailThe email appears to come from a legitimate company requesting sensitive info

Spoofing: is another term for someone deceives by pretending to be someone elseSending email pretending to be your professor, you are spoofing your professorIP Spoofing – network traffic using some one else's IP addressEmail spoofing – is same as phishing

Sniffing: intercept, capture and alter computer communicationsWardrives – hijack wireless communications over to unsecure networks in order to monitor and interceptSpyware and adware are two other sniffing techniques

Hacking: breaking into computers and steal confidential data

Malware: malicious software can wreak all forms of disruption from stealing to DoS

Forms of illegal data modification

Experiencing MIS: Information System Security Chap 10

Rerouting tax refunds, electronic payments to illegitimate accounts.

Unauthorized modifications to employment, health, financial records

Placing incorrect price and or other product information on websites.

Note that poorly engineering can also result in overwriting, lost updates etc

Faulty service: replace a legitimate software service with a nefarious service sending wrong product/parts, illegal data modification

Usurpation occurs when a computer systems are taken over, replaced by criminal activity etc

DoS – Denial of Service – human error shutting down a critical componentFlooding a web server with useless service request so that the server is unable to serve legitimate revenue generating request

Loss of Infrastructure – what would happen to water supply if electricity network – power grid is disrupted...construction bulldozer unintionally cut-ting power lines

Vulnerability

Vulnerability

The term "vulnerability" refers to the security flaws in a system that allow an attack to be successful. Vulnerability testing should be performed on an ongoing basis by the parties responsible for resolving such vulnerabilities, and helps to provide data used to identify unexpected dangers to security that need to be addressed. Such vulnerabilities are not particular to technology — they can also apply to social factors such as individual authentication and authorization policies.

Testing for vulnerabilities is useful for maintaining ongoing security, allowing the people responsible for the security of one's resources to respond effectively to new dangers as they arise. It is also invaluable for policy and technology development, and as part of a technology selection process; selecting the right technology early on can ensure significant savings in time, money, and other business costs further down the line.

Why mind terminology?

Understanding the proper use of such terms is important not only to sound like you know what you're talking about, nor even just to facilitate communication. It also helps develop and employ good policies. The specificity of technical jargon reflects the way experts have identified clear distinctions between practical realities of their fields of expertise, and can help clarify even for oneself how one should address the challenges that arise.

IT security, like any other technical field, has its own specialized language devel-oped to make it easier for experts to discuss the subject. It pays to understand this jargon when researching security.

A lot of security terms get used almost interchangeably in the popular tech press, even when they shouldn't. Different security jargon terms have distinct meanings, to be used in specific ways, for a reason.

For example, a "risk assessment" and a "threat assessment" are two entirely differ-ent things, and each is valuable for its own reasons and applicable to solving dif-ferent problems.

Example Vulnerabilities

http://web.stanford.edu/class/cs259d

Example Attacks

http://web.stanford.edu/class/cs259d

Attack Sophistication

http://web.stanford.edu/class/cs259d

Data Roles Owners

CustodiansUsers

Business UnitsExecutives

DBAsSecurity

OpsReporting/techs

fortify vulnerabilities against threats to reduce risk(s).The NIST Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover

Status Quo● What do we know ● Recent cases● Industry

Financial Services

Government Agencies

Retail

Healthcare

Intellectual Property

Highly publicized breaches

Other recent breaches

http://web.stanford.edu/class/cs259d

DNC HQ Hacking, Wikileaks, Snowden, Panama Papers

Financial Institutions

http://www.bitpipe.com/data/demandEngage.action?resId=1472508164_627

Financial institutions (FIs) must support the channels

mobile wallets, real-time peer-to-peer (P2P), anddigital account opening (KYC)

Requires right mix of security solutions,Background analyticsPersonnel

AMLIllegal/Dirty MoneySanitizing money

IRS

10 Steps to effective fraud prevention DEBORAH PIANKOSAS Security Intelligence Practicehttp://go.techtarget.com/r/73556502/20647047/2

The most pervasive and publicized problem is identity theft. It’s getting pandemic – the IRS reported 5M fraudulent returns in 2013, and the number has only grown.

Criminals, both large and small scale, steal personal demographic and financial information and use it to file fraudulent tax returns and claim refunds.

Identity theft --> fradulent tax returns and claim refunds.Personal Information --> stolen from corporate customer database--> at the office of Personnel Management--> stolen credit cards and info can be purchased on the black market --> can also be stolen directly by employees at hospitals, banks, other businesses, and government agencies, including the tax agencies

Credit Card Statistics

Credit Card Fraud by Type

Fraud Victims and Losses

FTC Sentinel 2014 Report

https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-january-december-2014/sentinel-cy2014-1.pdf

False Positives

Fraud remains a serious danger in the U.S., but transactions wrongly declined due to suspected fraud — known as a “false positive” — may represent just as big a threat.

https://www.javelinstrategy.com/coverage-area/future-proofing-card-authorization

estimates around15% of all cardholders have experienced a false decline annualannual decline amount of almost $118 billionMay be 1 ~ 2 billion in revenue loss to CreditCard companies assum-ing 1 ~ 2% fee

There aint no free lunch

There is a Cost associated with Threat mitigation andLoss prevention.

In life there is no such thing as free lunch!

BackupsRecovery ProceduresMonitoringPassword/EncryptionAccess Control ListsSingle Sign OnMulti-factor AuthenticationFirewall/secure sockets/kerberos and so on

Too many jobs!Too few qualified specialists!Rewarding career pathCannot be outsourcedOr offShored!

Mitigation Strategies● Information Management &

Governance● EMV – Europay Mastercard Visa● Card Verification Value

● TTL--expiry● Strong Passwords● encryption● https,sftp,ssh

Mitigation Strategies:Retail Bankshttp://www.bobsguide.com/guide/news/2017/Mar/7/digital-id-and-verification-in-retail-banking/

Traditional forms of ID&V, including photographic ID, in person trans-action and address verification are at odds with digital banking era – lacking convenience, speed and remote access.

Biometrics: response

More advanced – evolving

Machine learning

Machine learning is a branch of artificial intelligence study that concentrates on induction algorithms and on other algorithms that can learn from data and events and detect, alert and prevent security breaches.

Data driven techniques (machine learning technology) renders rules-based systems obsolete in anomaly detection

Writing rules for all possible combinations is not practi-cal – techniques must learn and scale with data and data volumes

Passwords and PINs are here to stay

http://www.bobsguide.com/guide/news/2017/Mar/7/digital-id-and-verification-in-retail-banking

Make them strong .. change as needed …And delete browser cache and close applications when you are done...

More advanced – evolving

Take Responsibility

Life does not reward stupidity!Be Smart!

referenceshttp://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.phphttp://www.techrepublic.com/blog/it-security/understanding-risk-threat-and-vulnerability/http://www.phil.frb.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/2002/FraudManagement_042002.pdfhttp://lexisnexis.com/risk/downloads/whitepaper/true-cost-fraud-mobile-2014.pdfhttp://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.phphttps://ssl.www8.hp.com/ww/en/secure/pdf/4aa6-8392enw.pdfhttp://www.nasdaq.com/article/credit-card-fraud-and-id-theft-statistics-cm520388https://www.ftc.gov/reports/consumer-sentinel-network-data-book-january-december-2014http://lexisnexis.com/risk/downloads/whitepaper/true-cost-fraud-mobile-2014.pdfhttp://web.stanford.edu/class/cs259d/https://www.nist.gov/cyberframework https://www.nist.gov/cyberframework/industry-resources http://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdfhttp://www.bobsguide.com/guide/news/2017/Mar/7/digital-id-and-verification-in-retail-bankinghttp://www.bobsguide.com/guide/news/2017/Mar/3/how-machine-learning-technology-is-making-rules-based-systems-obsolete-in-anomaly-detection-jim-heinzman-interview/http://www.businesswire.com/news/home/20100816005081/en/Internet-Connected-Devices-Pass-5-Billion-Milestone

Thank you.