1 / 18

Unsolved Issues in Security and Privacy Protection

Unsolved Issues in Security and Privacy Protection. Gio Wiederhold Professor Emeritus Computer Science, EE, and Medicine Stanford University & MITRE CEC Gio@cs.stanford.edu http:infolab.stanford.edu/TIHI. February 2009. Security : protection and assurance.

devona
Download Presentation

Unsolved Issues in Security and Privacy Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unsolved Issues in Security and Privacy Protection Gio Wiederhold Professor Emeritus Computer Science, EE, and Medicine Stanford University & MITRE CEC Gio@cs.stanford.edu http:infolab.stanford.edu/TIHI February 2009

  2. Security: protection and assurance Crucial progress in protection has been made:Remote TransmissionAuthenticationFirewalls around domains protect against enemies.Much research based on Cryptography Are we done? :

  3. What does not work? How to find out? Don’t look for problems that fit your solution • Look at recently published problem lists Found about a dozen top 10 issues lists • Observed: 2 categories • Lists by technologists – 91 software faults, etc. Interesting, but less relevant as guidance Note that Microsoft’s list focuses on misuse . . . • Lists by user organizations – 56 break-ins etc. Needed a categorization to provide guidance Note: Did not use the 2005 NIST/MITRE CVE repositoryof checklists

  4. Categorization of Problems sources: technical users notes Poor SW48% ↑ 27%↓buffers, interfaces Hacking 13% ↓ 34%↑external theft Theft 10% ↓ 23%↑internal theft Sloppiness 15%↑ 2% ↓weak password etc. Poor staff 12% ↑ 4% ↓includes management Stupidity 5% 5% from phishing etc Lost stuff 2% ↓ 5% ↑numbers are huge problem bias bias }

  5. Many Victims of Record Release From: Sasha Romanosky, Rahul Telang and Alessandro Acquisti: Do Data Breach Disclosure Laws Reduce Identity Theft? ; CMU Heinz School, Working paper, 19 Sep. 2008. ≈ US population

  6. Model of major problems : software, external + internal theft Vipin Swarup: resilience consequences Good girl leaks Bad apple Hacker result Password files for Lockcrack. (seed with traps) Export sniffed PWs Creditcard nums. Email addresses. Social Sec.Nums. … … ... requests Information

  7. oo -) Decide where your solution fits validated to be O.K. Authentication based control :-( or nice Good/ bad guy Security officer trusted Release control naughty virus check O.K./ risk Clean/ suspect security needs naughty or unverifiable contents Role-based control O.K./ wrong request Database admin results blessed request roles performance, function requests Information

  8. 1. Software: 2 major cites Buffer overflow 48%/SW Insecure Interfaces 34%/SW Multi-source modules No / incompatible metadata Need broad testing tools Not a supplier responsibility Change is frequent When to apply? During build, often at customer During execution: Performance hit New methods are needed Who will develop them? C Languages in use have • Do not keep metadata • Allocated size • Entry size • Do not exploit metadata • Check with every insert • Performance hit • Mitigated by parallel check • Exploit multi-core • Can be done! [PL/ACME 1967, C string processing makes it awlward]

  9. 2. Role-based controlFalse Assumption that roles match retrievable data • Role-based Access rights assume a partitioning of data • Domain data are partitioned accord to internal needs • Partitions only match roles in simple / artificial cases firewall result customer query data sources are rarely perfectly matched to all access rights Authentication Virus check database access & authorization agent

  10. Access Patterns versus Data: Accounting Accreditation Laboratory Laboratory staff Medical Research Clinics Insurance Carriers Ward staff Billing Pharmacy Inpatient Patient Physician Etc.. CDC

  11. 3. Theft is not prevented Assumption If container and entry is secure outgoing results need not to be checked Wrong: 1. Hackers and bad apples still manage to get inside 2. Data partitioning can never be perfect. 3. Conflict internal/external access roles and structure 4. Assurance against any possible misfiling is unaffordable :

  12. Commercial outgoing filters • Ponemon Institute[Tucson, AZ] & Vontu [San Francisco CA] Filters outgoing email only • Reconnex [Mountain View CA] Filter appliance on outgoing IP port • RSA division of EMC [San Mateo, CA] Linguistic pattern matching on outbound traffic • Symantec [Cupertino CA] outgoing viruses • Vericept [Englewood, CO] Internet traffic filter • Vertasys – consultants [Wyomissing PA] • Websense / ex Vidius [Beverly Hills, CA, Tel Aviv Israel] from IDF Information leak prevention, Content analysis, embarrassing terms. • Zix [Cambridge MA] Content filtering, forces encryption Problem recognized, but not yet a Science Choice of paranoia: Naughty versus unverifiable contents. None for statistical data

  13. Conflicts in health care privacy • Individual patient care needs Incompatibility among 300 EHR providers • Medical research needs broad interoperation • Drug manufacturers hold an increasing fraction of data • Insurance companies feared, more than rational • Patient wishes so complex they are ignored • Release nothing • Release selected only • Release most, except selected • Release it all • Rules imposed by wimpy bureaucrats Release only to own provider Release to any provider Release for medical research X [J. Marquard, UofM Amherst & P. Brennan, U.Wisc : Are we crying wolf? JHIM 2009]

  14. Assigning the Responsibility • Database Administrator • Can create views limiting access in RDMSs • Prime role is to assure convenient data access • Network Administrator • Can restrict incoming and outgoing IP addresses • Prime role is to keep network up and connected • Specialist Security Officer Prime responsibility is security & privacy protection Funds implementation of security policy Interacts with database & network administrators Conflicting duties, as Human Resource management :-) :-| :-(

  15. Selling Security • NSF Reviewers prefer novelty over effectiveness • NIH/ NLM No credible specifications. It’s all software • DHS Large fraction technology transition • Industry • There is rarely an economic business focus No profit center is associated with security • Often the wrong people are in charge

  16. No quantified economic model • Costs of being secure are high and the Costs of maintaining security are yet higher • The benefits are not visible when it works Equal to Bush’s problem: did the Patriot Act prevent attacks? • The costs of failures are hard to quantify Mainly high volume low cost/exposure Failures are often dealt with by lawyers / meaningless action Security admin gets replaced (and hired somewhere else)

  17. Summary: It’s not all technical The issue of data security is not solved • Crucial holes are poorly addressed • The economic model is weak • Funders & reviewers look for novelty • Software developers do not benefit from integrating security in their products • Complex rules are imposed • Inappropriate folk are in charge of $ & use

More Related