Protecting the value of Information Assetsfaculty.kutztown.edu/shim/Security.pdf · Protecting the...
Transcript of Protecting the value of Information Assetsfaculty.kutztown.edu/shim/Security.pdf · Protecting the...
Protecting the value of Information Assets
Information SecurityRaman Kannan
[email protected], MoT and CSTandon School of Engineering, NYU
Security is “the quality or state of being secure—to be free from danger.”
Securing Assets is existential
And there is a contention between security and utility.
http://web.stanford.edu/class/cs259d
Many forms of Security
http://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdf
Our Focus: Information Security
● Background
● Definitions
● Status Quo,recent incidents
● Mitigation Strategies
Information Security (InfoSec): “practiceof defending information fromunauthorized access, use, disclosure,disruption, modification, perusal,inspection, recording, or destruction”.
Data
We are a data driven species.Companies we run and use, all depend on data.Without appropriate management of data, Our ATMs , cell phones, television, facebook,nothing will work. The internet connects billions of devices – crossed 5B in 2010.
Democratic Elections are won on data– Barack Obama – Redistricting congressional districts
It is a double edge sword – it can be misused– 2016 Presidential electionsOwnership and protecting what we own is critical
https://www.us-cert.gov/sites/default/files/publications/infosecuritybasics.pdf
Trade-OffConvenience and easy access to information come with risks. Among them are the risks that valuable information will be lost, stolen, changed, or misused.
Three basic security concepts important to information are confidentiality, integrity, and availability.
Concepts relating to the people who use that information are authentication, authorization, and nonrepudiation.
Terminology: CIA
When information is read or copied by someone not authorized to do so, the result is known as loss of
Confidentiality.
Information can be corrupted and when information is modified in unexpected ways, the result is known as
loss of Integrity.
Information can be erased or become inaccessible,
resulting in loss of Availability.
When users cannot access the network or specific services provided
on the network, they experience a denial of service.
Terminology:Authentication, Authorization
Authentication is proving that a user is the person he or she claims to be.
Authorization is the act of determining whether a particular user (or computer system) has the right to carry out a certain activity, such as reading a file or running a program.
Authentication and authorization go hand in hand. Users must be authenticated before carrying out the activity they are authorized to perform.
Security is strong when the means of authentication cannot later be refuted—the user cannot later deny that he or she performed the activity. This is known as non-repudiation.
Risk
RiskThe term "risk" refers to the likelihood of being targeted by a given attack, of an attack being successful, and general exposure to a given threat. A risk assessment is performed to determine the most important potential security breaches to address now, rather than later. One enumerates the most critical and most likely dangers, and evaluates their levels of risk relative to each other as a function of the interaction between the cost of a breach and the probability of that breach.Analyzing risk can help one determine appropriate security budgeting — for both time and money — and prioritize security policy implementations so that the most immediate challenges can be resolved the most quickly.
Threat
The term "threat" refers to the source and means of a particular type of attack. A threat assessment is performed to determine the best approaches to securing a system against a particular threat, or class of threat. Penetration testing exercises are substantially focused on assessing threat profiles, to help one develop effective countermeasures against the types of attacks represented by a given threat. Where risk assessments focus more on analyzing the potential and tendency of one's resources to fall prey to various attacks, threat assessments focus more on analyzing the attacker's resources.Analyzing threats can help one develop specific security policies to implement in line with policy priorities and understand the specific implementation needs for securing
one's resources.
Basic types of threatsHuman Error, Computer Crime, Natural Disasters
Experiencing MIS: Information System Security Chap 10
Forms of unauthorized data disclosure
Experiencing MIS: Information System Security Chap 10
Pretexting: occurs when someone deceives by pretending to be someone elsePhone call scammers claim to call from IRS, FBI, CreditCard company
Phishing: unauthorized access – like pretexting but uses emailThe email appears to come from a legitimate company requesting sensitive info
Spoofing: is another term for someone deceives by pretending to be someone elseSending email pretending to be your professor, you are spoofing your professorIP Spoofing – network traffic using some one else's IP addressEmail spoofing – is same as phishing
Sniffing: intercept, capture and alter computer communicationsWardrives – hijack wireless communications over to unsecure networks in order to monitor and interceptSpyware and adware are two other sniffing techniques
Hacking: breaking into computers and steal confidential data
Malware: malicious software can wreak all forms of disruption from stealing to DoS
Forms of illegal data modification
Experiencing MIS: Information System Security Chap 10
Rerouting tax refunds, electronic payments to illegitimate accounts.
Unauthorized modifications to employment, health, financial records
Placing incorrect price and or other product information on websites.
Note that poorly engineering can also result in overwriting, lost updates etc
Faulty service: replace a legitimate software service with a nefarious service sending wrong product/parts, illegal data modification
Usurpation occurs when a computer systems are taken over, replaced by criminal activity etc
DoS – Denial of Service – human error shutting down a critical componentFlooding a web server with useless service request so that the server is unable to serve legitimate revenue generating request
Loss of Infrastructure – what would happen to water supply if electricity network – power grid is disrupted...construction bulldozer unintionally cut-ting power lines
Vulnerability
Vulnerability
The term "vulnerability" refers to the security flaws in a system that allow an attack to be successful. Vulnerability testing should be performed on an ongoing basis by the parties responsible for resolving such vulnerabilities, and helps to provide data used to identify unexpected dangers to security that need to be addressed. Such vulnerabilities are not particular to technology — they can also apply to social factors such as individual authentication and authorization policies.
Testing for vulnerabilities is useful for maintaining ongoing security, allowing the people responsible for the security of one's resources to respond effectively to new dangers as they arise. It is also invaluable for policy and technology development, and as part of a technology selection process; selecting the right technology early on can ensure significant savings in time, money, and other business costs further down the line.
Why mind terminology?
Understanding the proper use of such terms is important not only to sound like you know what you're talking about, nor even just to facilitate communication. It also helps develop and employ good policies. The specificity of technical jargon reflects the way experts have identified clear distinctions between practical realities of their fields of expertise, and can help clarify even for oneself how one should address the challenges that arise.
IT security, like any other technical field, has its own specialized language devel-oped to make it easier for experts to discuss the subject. It pays to understand this jargon when researching security.
A lot of security terms get used almost interchangeably in the popular tech press, even when they shouldn't. Different security jargon terms have distinct meanings, to be used in specific ways, for a reason.
For example, a "risk assessment" and a "threat assessment" are two entirely differ-ent things, and each is valuable for its own reasons and applicable to solving dif-ferent problems.
Example Vulnerabilities
http://web.stanford.edu/class/cs259d
Example Attacks
http://web.stanford.edu/class/cs259d
Attack Sophistication
http://web.stanford.edu/class/cs259d
Data Roles Owners
CustodiansUsers
Business UnitsExecutives
DBAsSecurity
OpsReporting/techs
fortify vulnerabilities against threats to reduce risk(s).The NIST Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover
Status Quo● What do we know ● Recent cases● Industry
Financial Services
Government Agencies
Retail
Healthcare
Intellectual Property
Highly publicized breaches
Other recent breaches
http://web.stanford.edu/class/cs259d
DNC HQ Hacking, Wikileaks, Snowden, Panama Papers
Financial Institutions
http://www.bitpipe.com/data/demandEngage.action?resId=1472508164_627
Financial institutions (FIs) must support the channels
mobile wallets, real-time peer-to-peer (P2P), anddigital account opening (KYC)
Requires right mix of security solutions,Background analyticsPersonnel
AMLIllegal/Dirty MoneySanitizing money
IRS
10 Steps to effective fraud prevention DEBORAH PIANKOSAS Security Intelligence Practicehttp://go.techtarget.com/r/73556502/20647047/2
The most pervasive and publicized problem is identity theft. It’s getting pandemic – the IRS reported 5M fraudulent returns in 2013, and the number has only grown.
Criminals, both large and small scale, steal personal demographic and financial information and use it to file fraudulent tax returns and claim refunds.
Identity theft --> fradulent tax returns and claim refunds.Personal Information --> stolen from corporate customer database--> at the office of Personnel Management--> stolen credit cards and info can be purchased on the black market --> can also be stolen directly by employees at hospitals, banks, other businesses, and government agencies, including the tax agencies
Credit Card Statistics
Credit Card Fraud by Type
Fraud Victims and Losses
FTC Sentinel 2014 Report
https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-january-december-2014/sentinel-cy2014-1.pdf
False Positives
Fraud remains a serious danger in the U.S., but transactions wrongly declined due to suspected fraud — known as a “false positive” — may represent just as big a threat.
https://www.javelinstrategy.com/coverage-area/future-proofing-card-authorization
estimates around15% of all cardholders have experienced a false decline annualannual decline amount of almost $118 billionMay be 1 ~ 2 billion in revenue loss to CreditCard companies assum-ing 1 ~ 2% fee
There aint no free lunch
There is a Cost associated with Threat mitigation andLoss prevention.
In life there is no such thing as free lunch!
BackupsRecovery ProceduresMonitoringPassword/EncryptionAccess Control ListsSingle Sign OnMulti-factor AuthenticationFirewall/secure sockets/kerberos and so on
Too many jobs!Too few qualified specialists!Rewarding career pathCannot be outsourcedOr offShored!
Mitigation Strategies● Information Management &
Governance● EMV – Europay Mastercard Visa● Card Verification Value
● TTL--expiry● Strong Passwords● encryption● https,sftp,ssh
Mitigation Strategies:Retail Bankshttp://www.bobsguide.com/guide/news/2017/Mar/7/digital-id-and-verification-in-retail-banking/
Traditional forms of ID&V, including photographic ID, in person trans-action and address verification are at odds with digital banking era – lacking convenience, speed and remote access.
Biometrics: response
More advanced – evolving
Machine learning
Machine learning is a branch of artificial intelligence study that concentrates on induction algorithms and on other algorithms that can learn from data and events and detect, alert and prevent security breaches.
Data driven techniques (machine learning technology) renders rules-based systems obsolete in anomaly detection
Writing rules for all possible combinations is not practi-cal – techniques must learn and scale with data and data volumes
Passwords and PINs are here to stay
http://www.bobsguide.com/guide/news/2017/Mar/7/digital-id-and-verification-in-retail-banking
Make them strong .. change as needed …And delete browser cache and close applications when you are done...
More advanced – evolving
Take Responsibility
Life does not reward stupidity!Be Smart!
referenceshttp://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.phphttp://www.techrepublic.com/blog/it-security/understanding-risk-threat-and-vulnerability/http://www.phil.frb.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/2002/FraudManagement_042002.pdfhttp://lexisnexis.com/risk/downloads/whitepaper/true-cost-fraud-mobile-2014.pdfhttp://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.phphttps://ssl.www8.hp.com/ww/en/secure/pdf/4aa6-8392enw.pdfhttp://www.nasdaq.com/article/credit-card-fraud-and-id-theft-statistics-cm520388https://www.ftc.gov/reports/consumer-sentinel-network-data-book-january-december-2014http://lexisnexis.com/risk/downloads/whitepaper/true-cost-fraud-mobile-2014.pdfhttp://web.stanford.edu/class/cs259d/https://www.nist.gov/cyberframework https://www.nist.gov/cyberframework/industry-resources http://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdfhttp://www.bobsguide.com/guide/news/2017/Mar/7/digital-id-and-verification-in-retail-bankinghttp://www.bobsguide.com/guide/news/2017/Mar/3/how-machine-learning-technology-is-making-rules-based-systems-obsolete-in-anomaly-detection-jim-heinzman-interview/http://www.businesswire.com/news/home/20100816005081/en/Internet-Connected-Devices-Pass-5-Billion-Milestone
Thank you.