Confidentiality (slides courtesy of Danny Lungstrom and Senthil Somasundaram)

CIA Triad Confidentiality Availability Integrity Secure Ref: Security In Computing - Charles Pfleeger

Threats to Confidentiality  Access to confidential information by any unauthorized person  Intercepted data transfers  Physical loss of data  Privileged access of confidential information by employees  Social engineered methods to gain confidential information  Unauthorized access to physical records  Transfer of confidential information to unauthorized third parties  Compromised machine where attacker is able to access data thought to be secure

Confidentiality Agreements  Strict access controls are crucial to protecting the confidential information  Those who should have access to the confidential information should be clearly defined –These people must sign a very clear confidentiality agreement –Should understand importance of keeping the information private

Financial Importance  According to Computer Security Institute's 6 th “Computer Crime and Security Survey”  “the most serious financial losses occurred through theft of proprietary information”  34 respondents reported losses of $151,230,100  $4.5 million per company in 1 year

Trade Secrets  No registration/approval or standard procedure  Quick and easy  Limited protection –Not protected against reverse engineering or obtaining the secret by “honest” means

Trade Secrets (2)  Why trade secrets?  How to protect –Enforce confidentiality agreements –Label all information as “Confidential” for the courts  How long do trade secrets remain secret? –Average is 4 to 5 years (decreasing)

Best Kept Trade Secrets  Coca-cola –Coca-Cola decided to keep its formula secret, decades ago! –Only known to a few people within the company –Stored in the vault of a bank in Atlanta –The few that know the formula have signed very explicit confidentiality agreements –Rumor has it, those that know the formula are not allowed to travel together –If Coca-cola instead patented the syrup formula, everyone could be making it today  KFC

Phishing Scams  Tricking people into providing malicious users with their private/financial information  Financial losses to consumers: –$500 million to $2.4 billion per year depending on source –15 percent of people that have visited a spoofed website have parted with private/personal data, much of the time including credit card, checking account, and social security numbers

Phishing example? Date: Tue, 20 Sep :06: (PDT) From: Countrywide To: Subject: Important Customer Correspondence [Image: "height="] [Image: "Countrywide - Full Speectrum Lending Division"] [Image: " "] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "If you could use some extra cash, Countrywide could make it easy."] [Image: "Click Here to Get Started"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "height="] Dear Timothy, We can help customers get cash from the available equity they've built up in their homes by refinancing their mortgages ? and with the trend in rising home values, we estimate your home's equity may have increased to as much as $43, (much more…) Phone number appears legit, current mortgage holder Note typographical errors (Speectrum, empty images, etc.) Big payoff offered Closer look: embedded domains doesn’t match from domain (m0.net, r.delivery.net, not countrywide.com, all same ISP (Digital Impact))

Legal Requirements  HIPAA  Gramm-Leach Bliley  FERPA  Confidentiality/Non-disclosure Agreements

Giant Eagle Example  Giant Eagle's Loyalty Program –Nearly 4 million active users in 2005 –User's purchases at both the grocery store and gas station are knowingly monitored –Can even link the card to fuel perks, enable check cashing and video rental service –Also use card at 4,000 hotels, Avis, Hertz, Alamo, numerous local retailers, sporting events, museums, zoos, ballets, operas, etc.

Giant Eagle (2)  From the privacy policy: –Giant Eagle does not share your personal information or purchase information with anyone except:  As necessary to enable us to offer you savings on products or services; or  As necessary to complete a transaction initiated by you through the use of your card;

Writing Policies  Ask numerous questions before beginning –What information is confidential? –Who should be allowed to access this information? –How long is it to remain confidential? –What type of security policy is needed? –What level of confidentiality is necessary for the given organization?

Chinese Wall Policy  Conflicts of interest –Person in one company having access to confidential information in a competing company  Based on three levels for abstract groups –Objects –Company Groups –Conflict Classes  Company groups with competing interests

Chinese Wall Policy (2)  Access control policy –Individual may access any information, given that (s)he has never accessed any information from another company in the same conflict class –So, once individual has accessed any object in a given conflict group, they are from then on restricted to only that company group within the conflict group, the rest are off-limits

Writing the Policy  Contents should include: –Obligation of confidentiality –Restrictions on the use of confidential information –Limitations on access to the confidential information –Explicit notification as to what is confidential

Implementing Policy  Host lockdown  Database lockdown  Encryption  Backup controls   Network lockdown  Device controls  Personnel controls