Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Department of Computer Science
Data Security
Elisa BertinoCS DepartmentCERIAS and Cyber CenterPurdue UniversityCurrently in sabbatical at National University of Singapore
Department of Computer Science
Dimensions in Data Security
Security Requirements
Confidentiality and Privacy
Trustworthiness
Accountability
Platforms
Clouds
Mobile Systems
Trust AssumptionsHW
Operating Systems
Applications
Department of Computer Science
Data Confidentiality and PrivacyThe problem of Insider Threat
Department of Computer Science
• Mission-critical information = High-value target• Threatens US other Government organizations and large
corporations• Probability is low, but impact is severe• Types of threat posed by malicious insiders
– Denial of service– Data leakage and compromise of confidentiality– Compromise of integrity
• High complexity of problem– Increase in sharing of information, knowledge– Increased availability of corporate knowledge online– “Low and Slow” nature of malicious insiders
Motivations and Challenges
Department of Computer Science
2010 CyberSecurity Watch Survey 2004 (CSO Magazine in cooperation with US Secret Service, CMU CERT and Deloitte) – 26% of attacks on survey respondents’ organizations were
from insiders (as comparison 50% from outsiders, 24%unknown)
– Of these attacks, the most frequent types are:• Unauthorized access to/ use of information, systems or networks
23%• Theft of other (proprietary) info including customer records, financial
records, etc. 15%• Theft of Intellectual Property 16%
Some Data
Department of Computer Science
RemediationSome Initial Ideas
• Distribute trust amongst multiple parties to force collusion– Most insiders act alone
• Question trust assumptions made in computing systems– Treat the LAN like the WAN
• Create profiles of data access and monitor data accesses to detect anomalies
Department of Computer Science
Anomaly Detection and Response System for Databases
Department of Computer Science
SQL CommandsT1
T2
T3
USER TABLES
Normal Access Pattern
SQL CommandsSYSTEM TABLES
syscolumns
sysobjects
Anomalous Access Pattern
Anomalous Access Pattern Example
Department of Computer Science
Is Anomaly Detection Sufficient?Look at the various mechanisms used by insiders (from (*))
Copied information to mobile device (USB drive, iPod, etc.) 42% Downloaded information to home computer 38% Stole information by sending it out via email 34% Shared account (e.g. system administrator, DBA, etc.) 33% Stole hardcopy information 30% Compromised an account 28% Remote access 25% Used authorized system administrator access 25% Stole information by downloading it to another computer 25% Escalated privileges 22% Blackberry or other mobile handheld device 20% Social engineering 17% Password crackers or sniffers 16% Backdoors 13% Rootkit or Hacking Tools 9% Malicious code inserted as part of the software development process 5% Logic bomb 2% Other 8% Don't know 11%
Department of Computer Science
ExpectedBehavior
Model
ObservableActivities
Risks & Alerts
RiskAssessor
SocialNetworkAnalysis
DatabaseAccess Analysis
Data Flow Analysis
Anomaly Detectors
•database accesses•printing•email•file accesses•external device accesses•encryption
A Comprehensive Approach
Department of Computer Science
Data Trustworthiness
Department of Computer Science
Department of Computer Science
Approaches• Integrity models and techniques
– From the security area: • Biba Model• Clark-Wilson Model• Signature techniques
• Physical integrity• Semantic integrity• Data quality• Web-data trust• Reputation techniques
Department of Computer Science
The Trust Fabric
Trustworthiness
UsageManagement (of authorized
activities)
Identity Management
(of people, organizations, and
devices)
Attack Management
(of unauthorized activities)
Provenance management
(of data, software, and
requests)
Department of Computer Science
An Example
A Cyclic Framework for Assessing Data Trustworthiness for
Sensor Streaming Data
Department of Computer Science
Modeling Sensor Networks and Data Provenance
• A sensor network be a graph, G(N,E)– N = { ni|ni is a network node of which identifier is i } : a set of sensor nodes
• a terminal node generates a data item and sends it to one or more intermediate or server nodes• an intermediate node receives data items from terminal or intermediate nodes, and it passes
them to intermediate or server nodes• a server node receives data items and evaluates continuous queries based on those items
– E = { ei,j | e i,j is an edge connecting nodes ni and nj.} : a set of edges connecting sensor nodes• A data provenance, pd
– pd is a subgraph of G
server node
intermediate nodes
terminalnodes
sn sn
1tn 2tn3tn
4tn
in
d
3d1d
2d4d
sn
tn
d
sn
tn
in
an bn
1d 2d
d
(a) a physical network (b) a simple path (c) an aggregate path (d) an arbitrary graph
Department of Computer Science
Assessing TrustworthinessComputing Trust Scores
• Trust scores: quantitative measures of trustworthiness– Data trust scores: indicate about how much we can trust the data items– Node trust scores: indicate about how much we can trust the sensor nodes
collect correct dataScores provide an indication about the trustworthiness of data items/sensor nodes and can be used for comparison or ranking purpose
• Interdependency between data and node trust scores
Node Trust Scores Data Trust Scores
trust score of the data affects the trust score of the sensor nodes that created the data
trust score of the node affects the trust score of the data created by the node
data arrives incrementallyin data stream environments
Department of Computer Science
A Cyclic Framework for Computing Trust Scores
• Trust score of a data item d– The current trust score of d is the score computed from the current trust scores of its related nodes.– The intermediate trust score of d is the score computed from a set (d ∈) D of data items of the same event.– The next trust score of d is the score computed from its current and intermediate scores.
• Trust score of a sensor node n– The intermediate trust score of n is the score computed from the (next) trust scores of data items.– The next trust score of n is the score computed from its current and intermediate scores.– The current trust score of n is the score assigned to that node at the last stage.
Current trust scores of nodes ( )
Next trust scores of nodes ( )
Intermediate trust scores of nodes ( )
+
Current trust scores of data items ( )
Intermediate trust scores of data items ( )
Next trust scores of data items ( )
A set of data items of the same event
in a current window
+
1
2
3
5
4
6
ns
ns
ns
ds
ds
ds
Department of Computer Science
Intermediate Trust Scores of Data (in more detail)
Data trust scores are adjusted according to the data value similarities and the provenance similarities of a set of recent data items (i.e., history)
– The more data items have similar values, the higher the trust scores of these items are– Different provenances of similar data values may increase the trustworthiness of data items
Current trust scores of nodes ( )
Next trust scores of nodes ( )
Intermediate trust scores of nodes ( )
+
Current trust scores of data items ( )
Intermediate trust scores of data items ( )
Next trust scores of data items ( )
A set of data items of the same event
in a current window
+
1
2
3
5
4
6
ns
ns
ns
ds
ds
ds
Similar Data Value Different Data Value
Similar Provenance score ↑score ↓↓↓(conflict)
Different Provenancescore ↑↑↑
(cross checked)score ↓
Department of Computer Science
Discussion• How do we use trust scores
– Notion of confidence policy– Situation awareness
• How do we improve data assessment– Use of semantic knowledge– Dynamic integration of new data sources, also heterogeneous
• How do we deal with rapidly changing values– User awareness– Triggering additional actions, for example collecting more evidence
• Sensor node sleep/awake times based on data trust scores (required and observed)
• How do we securely convey provenance– Data watermarking techniques
• How do we deal with privacy/confidentiality– Privacy-preserving data matching techniques
Department of Computer Science
Data Accountability
Department of Computer ScienceDefinition and Technical Architectures
Data accountability means that:•The use of data should be transparent so that it is possible to determine whether a particular use is appropriate under a given set of rules
•The systems managing the data enable individuals and organizations to be held accountable for data misuse
Mechanisms and Tools•Metadata concerning data purpose
•Policy-aware transaction logs
•Policy management systems
Department of Computer Science
Securing Data in the Cloud
Department of Computer Science
Security Is the Major Challenge
Department of Computer Science
A Simple Example
Who Has Control?Where is it located?Where is it stored?Who backs it up?Who has access?How resilient is it?How do auditors observe?How does our security team engage?
?
? ?
? ?
We Have ControlIt’s located at X.It’s stored in server’s Y, Z.We have backups in place.Our admins control access.Our uptime is sufficient.The auditors are happy.Our security team is engaged.
Cloud-based Data CenterToday Data Center
Slide based on presentation “Security and Cloud Computing” by Michael Waidner (IBM)
Department of Computer Science
Top Security Threats CSA (2010)Abuse and Nefarious Use of Cloud ComputingInsecure Application Programming InterfacesMalicious InsidersShared Technology VulnerabilitiesData Loss/LeakageAccount, Service & Traffic HijackingUnknown Risk Profile
Gartner (2008)Privileged user accessRegulatory complianceData locationData segregationRecoveryInvestigative supportLong-term viability
ENISA (2009)Loss of governanceLock-inIsolation failureCompliance risksManagement interface compromiseData protectionInsecure or incomplete data deletionMalicious Insider
Department of Computer Science
Cloud Provider Location
• It is important to be aware of where data are stored.
• If data do end up at an international site, those systems will be subject to the laws and policies of that jurisdiction.
• Also one has to be confident that international connectivity will remain up and uncongested.
• Data should have meta-data indicatinglocation restrictions and complianceobligations
Department of Computer Science
Investigative SupportWhat we need:
• Audit trails for creation, access, modification, destruction of data– Audit trails need to be kept in tamper proof way– For data destruction, there must be an attestation that
destruction is complete• Attestation of data accuracy• Chain of custody defined for data retrieval• Provision for snapshots for all customer data• Facility for a trusted third party for dispute resolution
over data
Department of Computer Science
Privileged User Access
What we need:
• Segregation of user data from the cloud administrators
• Encryption solutions that– Allow customers to maintain control over encryption keys– Ensure that keys be safely and securely provided to
encryption processes without an opportunity for compromise or the cloud having to retain those keys
• Data management functions that can operate on encrypted data– Such as backup functions
Department of Computer Science
Concluding Remarks
• The problem of securing data is difficult• Data must be secured without being overly
restrictive• Novel encryption techniques and hardware can
help• Risk assessment is crucial