Confidentiality - PowerPoint PPT Presentation

About This Presentation
Title:

Confidentiality

Description:

... use some extra cash, Countrywide could make it easy. ... (m0.net, r.delivery.net, not countrywide.com, all same ISP (Digital Impact)) Legal Requirements ... – PowerPoint PPT presentation

Number of Views:130
Avg rating:3.0/5.0
Slides: 19
Provided by: timshi
Category:

less

Transcript and Presenter's Notes

Title: Confidentiality


1
Confidentiality
  • (slides courtesy of Danny Lungstrom and Senthil
    Somasundaram)

2
CIA Triad
Ref Security In Computing - Charles Pfleeger
3
Threats to Confidentiality
  • Access to confidential information by any
    unauthorized person
  • Intercepted data transfers
  • Physical loss of data
  • Privileged access of confidential information by
    employees
  • Social engineered methods to gain confidential
    information
  • Unauthorized access to physical records
  • Transfer of confidential information to
    unauthorized third parties
  • Compromised machine where attacker is able to
    access data thought to be secure

4
Confidentiality Agreements
  • Strict access controls are crucial to protecting
    the confidential information
  • Those who should have access to the confidential
    information should be clearly defined
  • These people must sign a very clear
    confidentiality agreement
  • Should understand importance of keeping the
    information private

5
Financial Importance
  • According to Computer Security Institute's 6th
    Computer Crime and Security Survey
  • the most serious financial losses occurred
    through theft of proprietary information
  • 34 respondents reported losses of
    151,230,100
  • 4.5 million per company in 1 year

6
Trade Secrets
  • No registration/approval or standard procedure
  • Quick and easy
  • Limited protection
  • Not protected against reverse engineering or
    obtaining the secret by honest means

7
Trade Secrets (2)
  • Why trade secrets?
  • How to protect
  • Enforce confidentiality agreements
  • Label all information as Confidential for the
    courts
  • How long do trade secrets remain secret?
  • Average is 4 to 5 years (decreasing)

8
Best Kept Trade Secrets
  • Coca-cola
  • Coca-Cola decided to keep its formula secret,
    decades ago!
  • Only known to a few people within the company
  • Stored in the vault of a bank in Atlanta
  • The few that know the formula have signed very
    explicit confidentiality agreements
  • Rumor has it, those that know the formula are not
    allowed to travel together
  • If Coca-cola instead patented the syrup formula,
    everyone could be making it today
  • KFC

9
Phishing Scams
  • Tricking people into providing malicious users
    with their private/financial information
  • Financial losses to consumers
  • 500 million to 2.4 billion per year depending
    on source
  • 15 percent of people that have visited a spoofed
    website have parted with private/personal data,
    much of the time including credit card, checking
    account, and social security numbers

10
Phishing example?
  • Date Tue, 20 Sep 2005 030603 -0700 (PDT)From
    Countrywide countrywide_at_email.countrywide.comTo
    tjs_at_cert.orgSubject Important Customer
    Correspondence
  • Image "height" Image "Countrywide - Full
    Speectrum Lending Division" Image
    "1-866-227-4118" Image "height" Image
    "height" Image "height" Image "If you
    could use some extra cash, Countrywide could make
    it easy." Image "Click Here to Get Started"
    Image "height" Image "height" Image
    "height" Image "height"
  • Dear Timothy,
  • We can help customers get cash from the available
    equity they've built up in their homes by
    refinancing their mortgages ? and with the trend
    in rising home values, we estimate your home's
    equity may have increased to as much as
    43,867.00. (much more)
  • Phone number appears legit, current mortgage
    holder
  • Note typographical errors (Speectrum, empty
    images, etc.)
  • Big payoff offered
  • Closer look embedded domains doesnt match from
    domain(m0.net, r.delivery.net, not
    countrywide.com, all same ISP (Digital Impact))

11
Legal Requirements
  • HIPAA
  • Gramm-Leach Bliley
  • FERPA
  • Confidentiality/Non-disclosure Agreements

12
Giant Eagle Example
  • Giant Eagle's Loyalty Program
  • Nearly 4 million active users in 2005
  • User's purchases at both the grocery store and
    gas station are knowingly monitored
  • Can even link the card to fuel perks, enable
    check cashing and video rental service
  • Also use card at 4,000 hotels, Avis, Hertz,
    Alamo, numerous local retailers, sporting events,
    museums, zoos, ballets, operas, etc.

13
Giant Eagle (2)
  • From the privacy policy
  • Giant Eagle does not share your personal
    information or purchase information with anyone
    except
  • As necessary to enable us to offer you savings on
    products or services or
  • As necessary to complete a transaction initiated
    by you through the use of your card

14
Writing Policies
  • Ask numerous questions before beginning
  • What information is confidential?
  • Who should be allowed to access this information?
  • How long is it to remain confidential?
  • What type of security policy is needed?
  • What level of confidentiality is necessary for
    the given organization?

15
Chinese Wall Policy
  • Conflicts of interest
  • Person in one company having access to
    confidential information in a competing company
  • Based on three levels for abstract groups
  • Objects
  • Company Groups
  • Conflict Classes
  • Company groups with competing interests

16
Chinese Wall Policy (2)
  • Access control policy
  • Individual may access any information, given that
    (s)he has never accessed any information from
    another company in the same conflict class
  • So, once individual has accessed any object in a
    given conflict group, they are from then on
    restricted to only that company group within the
    conflict group, the rest are off-limits

17
Writing the Policy
  • Contents should include
  • Obligation of confidentiality
  • Restrictions on the use of confidential
    information
  • Limitations on access to the confidential
    information
  • Explicit notification as to what is confidential

18
Implementing Policy
  • Host lockdown
  • Database lockdown
  • Encryption
  • Backup controls
  • Email
  • Network lockdown
  • Device controls
  • Personnel controls
Write a Comment
User Comments (0)
About PowerShow.com