1 / 20

Privacy and Encryption in eGovernment

Privacy and Encryption in eGovernment. Dewey Landrum Technical Architect – CSO SLED West Sector CISSP August 11, 2008. Privacy Regulations. Health Insurance Portability and Accountability Act (HIPPA) Gramm-Leach-Bliley Act (GLBA) Texas Administrative Code

dulcea
Download Presentation

Privacy and Encryption in eGovernment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Encryption in eGovernment Dewey Landrum Technical Architect – CSO SLED West Sector CISSP August 11, 2008

  2. Privacy Regulations • Health Insurance Portability and Accountability Act (HIPPA) • Gramm-Leach-Bliley Act (GLBA) • Texas Administrative Code • TAC, Title 1, Part 10, Chapter 202 • Texas Public Information Act • Part III, Chapter 252 • Right to Access • Special Right to Access • SubChapter C - Information Excepted • Most Useful Source

  3. Privacy Act and Portals

  4. Examples of Private Information • Personal Information • Litigation & Negotiations • Competition or Bidding Information • Location or Price of Property • Records that would interfere with prosecution • Student Records • Birth (75 years) & Death (25 years) Records • Audit Working Papers • Addresses, Telephone Numbers, Social Security Numbers, & Personal Family Information of state employees & peace officers • Photographs of law enforcement & security guards

  5. Examples Continued • Certain email addresses • Crime Victim Information • Family Violence & Shelter work information • Information related to Computer Security Issues • Military Discharge Records (DD-214 – 75 years) • Many others not listed

  6. The Confusion of Encryption • Encryption can be a very confusing topic • Various algorithms • DES, Triple DES, AES, BLOWFISH, etc. • Asymmetrical versus Symmetrical • Asymmetrical – usually two keys • One for everyone to encrypt to (public key) • One for just you to decrypt by (private key) • Symmetrical • One key used to decrypt and encrypt by • Different opinions on what and when to encrypt • Encrypt everything • Encrypt just what you need • Plus – it’s based on advanced math!

  7. A Cornucopia of Standards • NIST SP 800-21 Guidelines for Implementing Cryptography in Federal Government • NIST SP 800-38C Block Cypher Modes of Operation: Authentication & Confidentiality • FIPS 180-2 Secure Hash Standards • FIPS 186-2 Digital Signature Standards • FIPS 192 Advanced Encryption Standard (AES) • Many other government based standards • FISMA • PCI • HIPPA • GLBA

  8. Why Encrypt? • Encryption is used to keep sensitive information private • Military and Governments have used various forms of encryption for centuries • Only recently widely used by businesses and civilians • Encryption can be used to encrypt information in the following ways: • While information is being moved from one place to another (in transit) • While information is being processed • While information is being stored

  9. What are all these algorithms? • DES, Triple DES, AES, etc. • As computing power becomes greater, various encryption standards become effectively weaker • DES was once so strong, the government asked that it be weakened so it could be broken if necessary • Triple DES is just DES run through the encryption/decryption process three times • AES (Advanced Encryption Standard) is the latest government standard • These are basically the mathematical formulas for encrypting and decrypting data

  10. Asymmetrical Keys • A fancy word that basically means: • “I have two keys that aren’t the same. One key for encryption, one key for decryption.” • Asymmetrical – two keys that aren’t the same • Used so that many people can send information to one source without the senders being able to decrypt the information • They must have their own key if they are going to receive encrypted information. • Must deal with the problem of having to have the public key for everyone receiving information. Biggest issue is key distribution. • Takes more processing power because you may be encrypting to many keys at once.

  11. Symmetrical Keys • A fancy word that basically means: • “I have one key to encrypt and decrypt by.” • Symmetrical – one key used for encryption and decryption • Typically used for small groups of people or for applications accessing the same data • Faster than Asymmetrical because there’s only one key • Everyone that is going to encrypt or decrypt must have the same key • How do you prevent the key from being distributed to unauthorized people? • How do you know the key isn’t being accessed by someone not authorized to access it? • What if the key gets corrupt or compromised? • How do I change the keys?

  12. Differing Opinions on Encryption • There are two basic views on encrypting network traffic: • Encrypt everything from the client browser connection to the database • Encrypt only what needs to be encrypted until you get to a trusted environment

  13. Encrypt Everything • Encrypt everything from the client browser connection to the database, including network traffic • Use SSL (Secure Socket Layer) to encrypt the connection to the web server so it can’t be intercepted over the Internet • Encrypt internal traffic (SSL or IPSEC) so it can’t be intercepted by either staff members or rogue users • Encrypt it in the database so if someone breaks in and steals the data, it is still encrypted

  14. Problems with Encrypt Everything There are various issues with SSL browser compatibility • Older browsers may not support 128 bit encryption • Export laws – if you only support 128 bit encryption, you may not be able to support world wide commerce Encrypting internal traffic blocks the ability to monitor attacks • Most Intrusion Prevention/Detection Systems don’t support decryption of traffic for inspection - they are blind to encrypted attacks • Many of the better hacking tools now support SSL as an option - hackers chose this option to hide their attacks from Intrusion Prevention/ Detection systems • Host-based IPS can decrypt traffic for inspection, but is much more expensive to put on every host than deployment of a network-based sensor Database encryption works only if they are outside of the application and do not have access to the keys It’s much more expensive – disks, network bandwidth, processing time, etc.

  15. Encrypt Only What You Need To • Encrypt only what is required to protect data • Use SSL (Secure Socket Layer) to encrypt the connection to the web server so it can’t be intercepted over the Internet and only when you are passing sensitive information • Encrypt internal traffic only when it is very sensitive information and you are in a mixed network environment • If you don’t trust your data center or internal staff, maybe you need new staff • Encrypt only the columns in the database that contain sensitive information

  16. Problems with Encrypt What You Need To • SSL is still vulnerable to “Man-in-the Middle” attacks • Various versions of SSL have vulnerabilities like any other piece of software - must keep it updated • Must force connections to redirect to encryption • Web servers are frequently breached, which gives a “beach head” for sniffing internal traffic that is not encrypted • Staff members steal more data than hackers - encrypted internal traffic helps stop this • Database encryption can occur within the application or at the database • To only encrypt certain columns is more expensive (more code) • How do you know what to encrypt? • What about aggregated information? • Do you trust your DBA’s more than System Administrators?

  17. Encryption Won’t Always Help • Many attacks are now conducted through the application • The application must have access to the data • Most attacks are successful because of improper input validation (they don’t properly check what the user is putting in the form) • Many attacks are successful because unnecessary services were running or certain services were not properly patched or configured • Allowing administrative services to be accessible from the Internet is also a common cause for breaches

  18. Example – Rhode Island • The information was encrypted in the database and SSL was used for connections • Improper input validation let the hacker display files containing server user names and hashed passwords • Many tools are available to “unhash” the passwords • This type of issue is usually either a patch or configuration issue. • Most IPS systems will detect this type of attack if they can read the traffic. • An unprotected (outside of VPN access) SSH (Secure Shell) service was available from the Internet - the hacker just logged in with an account and password • The hacker spooled information from the database to a file • He was outside of the application, so the data was strongly encrypted • He had access to the keys, so he downloaded them • Since encryption methods are standard, he downloaded an encryption kit for the type of encryption used and decrypted the data • Proper monitoring would have caught access to the keys

  19. How do you protect your information? • A good foundation of policies and procedures • Follow established standards • FISMA • PCI • GBLA • DO NOT make up your own encryption standard • Perform proper monitoring • Encrypt what is necessary • Perform audits to ensure processes work and are being followed • Perform testing • Have a third-party evaluate your program

More Related