information assurance center iowa state university 1 data security: protecting data within an...

Information Assurance CenterInformation Assurance Center Iowa State University Iowa State University 11

Data Security:

Protecting data within an organization

Doug Jacobson

Information Assurance Center

www.iac.iastate.edu


Outline

• The past (slides from 1998 talk)• What are the threats• What is the state of the art in defense• New Threat model (they are inside)

– Data threats– Data protection


The Past


Today, is there still a problem?

• One recent report– 800 million records lost– 60% were from hacking

• Documented attacks against– Power grid, Banking, Transportation– (Just about every critical sector)

• Heartbleed, BASH, POODLE, Sandworm, Target/HomeDepot/DQ, SONY

• Does not include the attacks directed at people


What has changed in 15 years?

• More attackers• More possible devices (over 7 billion)• More motivations to attack ($, IP, war)• More reliance on technology• More potential victims (users on the net)• More news coverage• More DATA to steal


What are the threats?

• They are almost as many ways to classify threats as there are threats

• We want to look at:– Why is this a hard problem– What are the targets– What is our risk– Who is after us


Why is threat classification hard?

• There is no longer a solid perimeter– Wireless, mobile, computing everywhere

• Multiple vendors providing solutions• Security is not a selling point - First to market• Outsourcing• New technologies• Change in tactics• Time compression


What is our risk?

• We don’t know how important something is until we lose it.

• We don’t always know what is important to others (customers, attackers)

• We don’t know what we have and where it is

• New technology makes it hard to keep up

• New model: Assume attackers are in your network.


Who is after us?

• Script kiddies

• Hackers

• Professionals

• Nation states


Goals vs. outcomes• Goals:

– Theft (money, data, etc.)– Cyber crime

• Aid in physical crime or just a cyber crime

– Terrorism• Aid in physical activity or cyber only

– Disruption

• Outcome of attack maybe the same independent of the goal.


How They do it:Attacks of opportunity

• Often carried out by script kiddies• Pick on vulnerable systems

– Not installing patches

• Misconfigured systems– Initial configuration problems– Reconfiguration problems


How They do it: Advanced Persistent Threat

• Attackers will pick a target or targets and wait until you make a mistake.– Misconfiguration– Not patching a system

• Or they will target your employees with phishing emails– Get them to disclose passwords– Go to web sites to get malware– Send attachments with malware

• Zero day attacks


(APT) Likely targets

• The Internet of things– Power, Water, transportation, etc.

• Where the money is– Banks, people, organizations (lower tech = target

• Intellectual property– Technology (ag sector, manufacturing, etc)

• Gain access


How They do it: Types of insider threats

• Intentional – Think of the number of egress points and the number of protocols involved.

• Accidental – As applications become more integrated and seamless it becomes easier to send data (email, IM, P to P)

• Intentionally Accidental – As we have harden our defenses the attackers are using more social based attacks to get the users to leak information.


Careless Insider

• Attackers have shifted focus to the employees and home users– Phishing– Viruses– Spyware– Social Engineering

• Using Email, peer to peer, IM, web sites, software downloads


Example (Target)

• Attackers had malware that reads memory and sends it to a drop site

• Unclear if they picked certain retailers or just looked for ones they could insert the malware

CC reader

memory

Encrypt &verify

To Targetmain office


Example (Target)• Used weak security at HVAC company to get login

name and password to Target• Tested software Nov 15-28• Nov 30 pushed to most POS terminals

CC reader

memory

Encrypt &verify

TargetMain office

Malware

To dropsites

HVACAttackers


Credit cards for sale

• Home Depo theft was over a longer period


Example (SONY)• Still unclear on how they gained access. • Appears to be APT• Attackers raised the stakes in that this is one of

the first attacks that caused wide spread destruction of computing resources.– Well written and very complex malware


Now lets talk about defense• First cyber security is an unfair war

– Defenders must be perfect– Attackers only need to get it right once.– Law enforcement often cannot tell if something

happened.

• Lets look at where we are at– Prevention (defense)– Detection– Attribution


State of the art in defense

• Most organizations practice defense in depth

• However we are still often just reacting to events.

• Some times we don’t even know they are attacking


State of the art in protection / prevention

We know how to build forts and protect ourselves from the outside


Let’s talk about walls

• We build lots of technology based walls around everything.


Threats against the wall

ThreatsSW/HW

Faults

Config

Faults

Auth

FaultsSocial

Faults

Defect in the wall

Open door in the wall

Bad lock on the door

Getting key door key from user


Threats to the people

• Phishing• Email attachments

– Trojans– Viruses

• Peer-to-Peer• Web Sites• Wireless• Social Networking


Threats adapt


Detection

• Hard to know when are being attacked– Often we know because of some other

data (bank statement, audit, etc.)

• Finding an attack in all of the data• Users and organizations need to play a

role.• Very little information sharing to know if

there is a pattern across organizations


Attribution

• Very hard problem• Device attribution vs. people attribution

– Easier to identify a device than the person– Often attacks come from place where information is

hard to get

• Many technologies allow users to hide• Need forensics

– Network– Computer


The future

• Internet of things– More devices than people connected to the Internet

• Highly focused attacks– People– Infrastructure

• New risk model– Assume they are inside already

• True cyber physical attack


New threat model

• This is a complex system problem– We need to assume they are or will be inside

our systems

• They want our data– Sell it– Use it– Destroy it – Use it against us

• We need to Protect it


No easy solution

• There is no longer a solid perimeter– Wireless, mobile, computing everywhere

• Multiple vendors providing solutions

• Home grown solutions

• Adaptive attacks

• Data leakage


Lets talk about data• Can you answer these questions:

– How much data you have?– Where the data lives?– How many copies there are?– Who has the copies– Do they know they have a copy?– Do they know how to protect it?– Do you have a plan?


What is data?• Data acts like water

– Just like the earth is mostly water most of your organization is based on data.

– Water is everywhere and so is your data– Data, like water is hard to hold on to once it leaves its

container.– Like water everyone wants data.– Like water many people are willing to share data when

asked?

• One big difference, data can be copied


• Terabyte 1,099,511,627,776 bytes• Page size 3000 bytes• Pages 366,503,875• Ream 500 pages• Reams 733,007 Reams• Ream height 2”• Total height 1,466,014” = 122,168’ or 23

miles• Olympus Mons 78,740’

Computer Information Volume


Data Leakage• Focus has been on identity theft and while that is an

important issue, organizations should not forget the importance of their other data.

• Increasing number of protocols• Increasing number of attackers• Increasing number of user driven applications• Increasing amount of data• Increasing government intervention• Increasing number of attacks against insiders


Data Loss Prevention• Where is your located?

– Centralized, distributed, both

• Who has access to your data?– Read, write, delete

• Who controls your data?– Owners, users, anyone

• Do you manage– Data at rest?– Data in motion?– Data in devices?


Data at Rest

• Your data is stored somewhere (everywhere)– How many ways can data at rest be

copied, moved, or examined– How do you find your data at rest

• Discovery

– How do you keep your data at rest safe• Encryption, device locking


Data In Motion

• Used to keep private information from leaving– SS Numbers, Account Numbers, Records

• Will either log, stop, or encrypt violating content

• What is leaving your organization– Protocols– User installed applications– Confidential data


Data In Devices

• Do people carry the data with them?– Phones– Laptops– Tablets– What ever the new technology is

• Do people remotely access data from their mobile device?


The five Cs of data protection

• Classification

• Compartmentalization

• Cryptography

• Contingency planning

• Coaching


1. Data Classification

• Develop a taxonomy for the different data types (industry specific)

• Decide what levels of protection are needed for each data classification

• Find the data in your organization– Move, destroy, protect.

• Develop a plan to keep looking for the data


Data Classification


Data Classification

• Develop levels– Restricted– High– Moderate– Low

• Decide what data fits into what level

• When you are not sure you can use the FIPS 199 standard


Federal Information Processing Standards (“FIPS”) publication 199 Security Objective LIMITED IMPACT SERIOUS IMPACT SEVERE IMPACT

ConfidentialityPreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

IntegrityGuarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

AvailabilityEnsuring timely and reliable access to and use of information.

The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.


ExampleRestricted High Moderate Low

Social Security Numbers

Credit Card Numbers

Financial Account Numbers, such as checking or investment account numbers

Driver's License Numbers

Health Insurance Policy ID Numbers

Health Information, including Protected Health Information (PHI)

Passport and visa numbers

Export controlled information under U.S. laws

Authentication credentials or identity verification information

Confidential employee Records

ID numbers

Student class schedules

ID Card Photographs

Disciplinary files

Research data (electronic and physical)

Employment applications, personnel files, benefits information, and birth date

Privileged attorney-client communications

Directory Information

Approved Census Facts


Finding your data

• Remember data is like water, it is hard to find the leak.

• Automated software can help find data – Agent based– Host/server based– Stand alone

• Maybe hold a spring cleaning day– Shred paper, remove files, know what you have


2. Compartmentalization

• Assume the attacker is acting as an insider

• You need to control who has access to what data. – Network based– Host/server based– Data source based

• The role of authentication


Network based

• Typically uses technology to enforce internal compartmentalization– Internal FW, VLANs, VPN

• Monitor internal network access

• Worry about wireless


Host/server based

• Know what data is stored on which host– Agent software

• Control access to sever shares– Authentication based– Limit access to only people that need to know– Beware of host to host authentication


Data source based

• Control access to data sources– Databases, files, etc.– Authenticated based access– Role based access

• Use network based compartmentalization to help restrict access to data sources


Authentication control

• Network based– VPN (typically external to internal).

• Host/server based– Network shares – user login. – Look at login based mounting and should all

shares be mounted.

• Data source based– Not everyone should have access to all data– Who has access to what in the data base


Authentication

• Handling authentication is key to maintaining solid walls.

• Authentication is the process of connecting the identity of a real person (or device) to its digital identity.


Authentication

• Authentication is based on one or more factors– What you know (password, secret information)– What you have (badge, smart card, debit card)– What you are (fingerprint, retinal scan, voice)– Where you are (in front of a computer, GPS)


Password Security

• Q: Is there a difference between a strong password and a secret password?

A strong password is one that can not be guessed

A secret password is one that is only known by the password owner

(strength) (secrecy)

vs.


Password Threats• Enumerated are threat sources that reveal passwords to attackers

Internet

Our Computer

Legitimate Website

Malicious Website

User

1) User discloses password2) Social engineering

3) Malware (software keylogger)4) Hardware keylogger

5) Sniffing

6) Phishing Website

7) Password file exposed8) Attacker guesses password9) Security question


Multi factor authentication

• Requires the user to provide more than one method of authentication

– Password + authorized computer

– Password + text message

– Password + finger print

• Attacker needs to have access to something physical and the secret.

– Makes it very hard to compromise the account.


3. Cryptography

• Whole Disk

• Mobile device

• File based

• Data egress

• Data in motion


Whole Disk Encryption

• A must for laptops that leave the organization

• Issues– Key escrow– Over seas travel

• What is fixes– Lost or stolen device

• What is does not fix– User drive data loss


Mobile device Cryptography

• Harder problem

• Newer devices are starting to support this

• Same issues as laptops


File-based Cryptography

• Not as common

• Typical with data files on servers– SS #– Credit Cards, etc

• Effective against attacker stealing the file

• Not effective with Malware, or embedded keys


Egress Cryptography

• When data leaves it can be encrypted

• Might be needed based on government regulations

• Often it is better to use a secure web based portal


Data in motion Cryptography

• Typically used when data leaves the organization– Secure web– VPN

• Sometimes is used between front end server and backend database.


4. Contingency planning

• Assume you will lose data

• Know what you are going to do ahead of time– Dealing with the customers– Dealing with the public

• How do you know what you lost– Auditing, Logging, forensics

• How are you going to recover– Destroyed data (SONY)


5. Coaching

• Everyone needs to understand– Data is important– What does it mean to be a good data steward – What role they have in security

• Do NOT make it a penalty for having data as you adopt new data protection models.

• Security literacy


User Education:How should we do it?

• By teaching Computer Security Literacy in terms the average user will understand– If abstracted correctly (using analogies, metaphors,

and common language) practical computer security is accessible to ALL

• By relating computer security to everyday activities

• By helping users understand they have a role in their own safety


Literacy: going beyond awareness

• Top 10 lists and posters are not effective in providing the readers with the tools needed to take an active role in their security– These methods can raise awareness that there

is problem, but we need to go beyond awareness.


Key Points

• Know what data is private and what data is not and let the owners know which is which

• Know where your data is located and where it goes

• Protect what is private from both insiders and outsiders

• Know that the attackers are adapting to your defenses.


Parting comments

• Work to make security part of the culture

• Put security in context of everyday life

• You have role in building bridges and helping make security part of the conversation

• Assume you are a target

• Be prepared.


Questions

information assurance center iowa state university 1 data security: protecting data within an...

Documents

tactics time compression

data security

new model

new technology

cyber crime aid

physical crime

defense new threat model

day attacks