Overview of Information Security
& Privacy
Nawanan Theera-Ampornpunt, M.D., Ph.D.
Faculty of Medicine Ramathibodi Hospital
Mahidol University
July 17, 2015
http://www.SlideShare.net/Nawanan
Introduction to Information Privacy & Security
Protecting Information Privacy & Security
User Security
Software Security
Cryptography
Malware
Security Standards
Outline
Introduction to Information Privacy &
Security
Malware
Threats to Information Security
Security Threats & Thailand
https://www.thaicert.or.th/downloads/files/ThaiCERT_Annual_Report_th_2013.pdf
ThaiCERT (2013)
Security Threats & Thailand
https://www.thaicert.or.th/downloads/files/ThaiCERT_Annual_Report_th_2013.pdf
ThaiCERT (2013)
Security Threats & Thailand
https://www.thaicert.or.th/downloads/files/ThaiCERT_Annual_Report_th_2013.pdf
ThaiCERT (2013)
Security Threats & Thailand
https://www.facebook.com/longhackz
Security Threats & Thailand
(Top) http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/
(Bottom) http://www.bloomberg.com/news/articles/2014-12-07/sony-s-darkseoul-breach-stretched-from-thai-hotel-
to-hollywood
Security Threats & Health Care
http://usatoday30.usatoday.com/life/people/2007-10-10-clooney_N.htm
Security Threats & Health Care
http://news.sanook.com/1262964/
Sources of the Threats
Hackers
Viruses & Malware
Poorly-designed systems
Insiders (Employees)
Peopleâs ignorance & lack of knowledge
Disasters & other incidents affecting information systems
Information risks Unauthorized access & disclosure of confidential information Unauthorized addition, deletion, or modification of information
Operational risks System not functional (Denial of Service - DoS) System wrongly operated
Personal risks Identity thefts Financial losses Disclosure of information that may affect employment or other
personal aspects (e.g. health information) Physical/psychological harms
Organizational risks Financial losses Damage to reputation & trust
Etc.
Consequences of Security Attacks
Privacy: âThe ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.â (Wikipedia)
Security: âThe degree of protection to safeguard ... person against danger, damage, loss, and crime.â (Wikipedia)
Information Security: âProtecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destructionâ (Wikipedia)
Privacy & Security
Security & Privacy
http://en.wikipedia.org/wiki/A._S._Bradford_House
Security & Privacy
Information Security
Confidentiality
Integrity
Availability
Examples of Confidentiality Risks
http://usatoday30.usatoday.com/life/people/2007-10-10-clooney_N.htm
Examples of Integrity Risks
http://www.wired.com/threatlevel/2010/03/source-code-hacks/http://en.wikipedia.org/wiki/Operation_Aurora
âOperation AuroraâAlleged Targets: Google, Adobe, Juniper Networks, Yahoo!, Symantec, Northrop Grumman, Morgan Stanley, Dow ChemicalGoal: To gain access to and potentially modify source code repositories at high tech, security & defense contractor companies
Examples of Integrity Risks
http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml
Web Defacements
Examples of Availability Risks
http://en.wikipedia.org/wiki/Blaster_worm
Viruses/worms that led to instability & system restart (e.g. Blaster worm)
Examples of Availability Risks
http://en.wikipedia.org/wiki/Ariane_5_Flight_501
Ariane 5 Flight 501 Rocket Launch Failure
Cause: Software bug on rocket acceleration due to data conversion from a 64-bit floating point number to a 16-bit signed integer without proper checks, leading to arithmatic overflow
Interesting Resources
http://en.wikipedia.org/wiki/List_of_software_bugs
http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms
http://en.wikipedia.org/wiki/Hacktivism
http://en.wikipedia.org/wiki/Website_defacement
http://en.wikipedia.org/wiki/Hacker_(computer_security)
http://en.wikipedia.org/wiki/List_of_hackers
Protecting Information Privacy & Security
http://www.aclu.org/ordering-pizza
Privacy Protections: Why?
āļāļāļāļ§āļēāļĄāđāļ JAMA āđāļĢāļ§āđāđ āļāļĩāđ
JAMA. 2015 Apr 14;313(14).
Recent JAMA Article
Attack
An attempt to breach system security
Threat
A scenario that can harm a system
Vulnerability
The âholeâ that is used in the attack
Common Security Terms
Identify some possible means an attacker could use to conduct a security attack
Class Exercise
Alice
Simplified Attack Scenarios
Server Bob
Eve/Mallory
Alice
Simplified Attack Scenarios
Server Bob
- Physical access to client computer
- Electronic access (password)
- Tricking user into doing something (malware, phishing & social engineering)
Eve/Mallory
Alice
Simplified Attack Scenarios
Server Bob
- Intercepting (eavesdropping or âsniffingâ) data in transit
- Modifying data (âMan-in-the-middleâ attacks)
- âReplayâ attacksEve/Mallory
Alice
Simplified Attack Scenarios
Server Bob
- Unauthorized access to servers through- Physical means- User accounts & privileges- Attacks through software vulnerabilities- Attacks using protocol weaknesses
- DoS / DDoS attacks Eve/Mallory
Alice
Simplified Attack Scenarios
Server Bob
Other & newer forms of attacks possible
Eve/Mallory
Alice
Safeguarding Against Attacks
Server Bob
Administrative Security- Security & privacy policy- Governance of security risk management & response- Uniform enforcement of policy & monitoring- Disaster recovery planning (DRP) & Business continuity
planning/management (BCP/BCM)- Legal obligations, requirements & disclaimers
Alice
Safeguarding Against Attacks
Server Bob
Physical Security- Protecting physical access of clients & servers
- Locks & chains, locked rooms, security cameras- Mobile device security- Secure storage & secure disposition of storage devices
Alice
Safeguarding Against Attacks
Server Bob
User Security- User account management
- Strong p/w policy (length, complexity, expiry, no meaning)- Principle of Least Privilege- âClear desk, clear screen policyâ- Audit trails
- Education, awareness building & policy enforcement- Alerts & education about phishing & social engineering
Alice
Safeguarding Against Attacks
Server Bob
System Security- Antivirus, antispyware, personal firewall, intrusion
detection/prevention system (IDS/IPS), log files, monitoring- Updates, patches, fixes of operating system vulnerabilities &
application vulnerabilities- Redundancy (avoid âSingle Point of Failureâ)- Honeypots
Alice
Safeguarding Against Attacks
Server Bob
Software Security- Software (clients & servers) that is secure by design- Software testing against failures, bugs, invalid inputs,
performance issues & attacks- Updates to patch vulnerabilities
Alice
Safeguarding Against Attacks
Server Bob
Network Security- Access control (physical & electronic) to network devices- Use of secure network protocols if possible- Data encryption during transit if possible- Bandwidth monitoring & control
Alice
Safeguarding Against Attacks
Server Bob
Database Security- Access control to databases & storage devices- Encryption of data stored in databases if necessary- Secure destruction of data after use- Access control to queries/reports- Security features of database management systems (DBMS)
Privacy Safeguards
Image: http://www.nurseweek.com/news/images/privacy.jpg
Security safeguards
Informed consent
Privacy culture
User awareness building & education
Organizational policy & regulations
Enforcement
Ongoing privacy & security assessments, monitoring, and protection
User Security
Need for Strong Password Policy
So, two informaticianswalk into a bar...
The bouncer says, "What's the password."
One says, "Password?"
The bouncer lets them in.
Credits: @RossMartin & AMIA (2012)
Access control
Selective restriction of access to the system
Role-based access control
Access control based on the personâs role (rather than identity)
Audit trails
Logs/records that provide evidence of sequence of activities
User Security
Identification
Identifying who you are
Usually done by user IDs or some other unique codes
Authentication
Confirming that you truly are who you identify
Usually done by keys, PIN, passwords or biometrics
Authorization
Specifying/verifying how much you have access
Determined based on system ownerâs policy & system configurations
âPrinciple of Least Privilegeâ
User Security
Nonrepudiation
Proving integrity, origin, & performer of an activity without the personâs ability to refute his actions
Most common form: signatures
Electronic signatures offer varying degrees of nonrepudiation
PIN/password vs. biometrics
Digital certificates (in public key infrastructure - PKI) often used to ascertain nonrepudiation
User Security
User Account Security
https://www.thaicert.or.th/downloads/files/BROCHURE_security_awareness.png
Multiple-Factor Authentication
Two-Factor Authentication
Use of multiple means (âfactorsâ) for authentication
Types of Authentication Factors
Something you know
Password, PIN, etc.
Something you have
Keys, cards, tokens, devices (e.g. mobile phones)
Something you are
Biometrics
User Security
Recommended Password Policy Length
8 characters or more (to slow down brute-force attacks)
Complexity (to slow down brute-force attacks)
Consists of 3 of 4 categories of characters
Uppercase letters
Lowercase letters
Numbers
Symbols (except symbols that have special uses by the system or that can be used to hack system, e.g. SQL Injection)
No meaning (âDictionary Attacksâ)
Not simple patterns (12345678, 11111111) (to slow down brute-force attacks & prevent dictionary attacks)
Not easy to guess (birthday, family names, etc.) (to prevent unknown & known persons from guessing)
Personal opinion. No legal responsibility assumed.
Recommended Password Policy Expiration (to make brute-force attacks not possible)
6-8 months
Decreasing over time because of increasing computerâs speed
But be careful! Too short duration will force users to write passwords down
Secure password storage in database or system (encrypted or store only password hashes)
Secure password confirmation
Secure âforget passwordâ policy
Different password for each account. Create variations to help remember. If not possible, have different sets of accounts for differing security needs (e.g., bank accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
Dictionary Attack: āđāļĢāļ·āđāļāļāđāļĨāđāļēāļāļēāļāļāļēāļĢāđāļĢāļĩāļĒāļ
āļāļēāļĢ Hack āļĢāļ°āļāļ āļāļĩāđ USA
Clear Desk, Clear Screen Policy
http://pixabay.com/en/post-it-sticky-note-note-corner-148282/
Techniques to Remember Passwords
http://www.wikihow.com/Create-a-Password-You-Can-Remember
Note that some of the techniques are less secure!
One easy & secure way: password mnemonic
Think of a full sentence that you can remember
Ideally the sentence should have 8 or more words, with numbers and symbols
Use first character of each word as password
Sentence: I love reading all 7 Harry Potter books!
Password: Ilra7HPb!
Voila!
Personal opinion. No legal responsibility assumed.
Password Sharing
āļāļĒāļēāđāđāļāļĢāđ Passwordāļāļāļąāļāļāļāļ·āđāļ
Password Expiration
āđāļāļĨāļĩāļĒāđāļ Passwordāļāļļāļāđ 3-6 āđāļāļāļ·āļ
Keylogger Attack: āđāļĢāļ·āđāļāļāđāļĨāđāļēāļāļēāļāļāļīāļāļāļĢāļĢāļĄāļāļĄāļĢāļĄāļŠāļĄāļąāļĒāđāļāđāļāļāļąāļāļĻāļķāļāļĐāļēāđāļāļāļĒāđ
Rogue Wi-Fi Router: āļāļāļĄāļāđāļĄāļĒ Password
āļāļĩāđāļāļļāļāļāļāļāđāļāļāļĢāļ°āļ§āļąāļ
Logout After Use
āļāļĒāļēāđāļĨāļĄāļ· Logout āļŦāļĨāļāļąāđāļāļāđāļēāļāđāļŠāļĄāļ āđāļāļĒāđāļāļāļēāļ°āđāļāļĢāļ·āļāđāļāļŠāļēāļāļēāļĢāļāļ°(āļŦāļēāļāđāļĄāļāđāļĒāļđāļāđāļĩāļŦāđāļāđāļēāļāļ āđāļĄāđāđāļāļĒāļĩāļāļāļąāļ§āđāļāļĢāļđ āđāđāļŦ āđLock Screen āđāļŠāļĄāļ)
Mobile Security
https://www.thaicert.or.th/downloads/files/BROCHURE_mobile_malware.png
Mobile Security
āļāļąāļāđ PIN āļŠ āļēāļŦāļĢāļāļą Lock Screen āđāļāļēāđāļ§āđ āđāļĄāđāđāļāļāđāļāļāđāļĄāļĨāļđāļŠ āļēāļāļāļąāđāļāļēāđāļ§āđ āļĢāļ°āļ§āļāļąāđāļĄāđāđāļŦāļŠāđāļāļđāļŦāļēāļĒ āļŦāļēāļāļŠāļāļđāļŦāļēāļĒāļĢāļāļĩāđāļāļāđāļĢāļ°āļāļāļą
Online (Shopping) Security
https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Online-Shopping-Tips.jpg
āļāđāļđāļĨāļāļāļąāļĢāđāļāļĢāļāļāļī āđāļĨāļ°āļāļāđāļĄāļĨāļđāļŦāļĄāļēāļĒāđāļĨāļāļāļāļąāļĢāđāļŦāļāđāļĩ
āđāļāđāđāļāļāļēāļ°āļāļāļąāđāļ§āļāđāļāļĩāđāđāļāļ·āļāđāļāļāļ·āđāļāđ
āļŠāļĄāļāļąāļĢāļāļĢāļāļīāļēāļĢ SMS āđāļāļāđāđāļāļāļ·āļāđāļĄāļ·āļāđāļĄāļāļĩāļēāļĢāļĢāļāļđāļāļāļąāļĢ
āļ āļđstatement āđāļĨāļ°āļāļĢāļ§āļāļŠāļāļāļāļĢāļļāļāļĢāļĢāļĄāđāļŠāļĄāļ
E-mail Security
https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Mail-Scam.jpg
E-mail Security
https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Mail-Scam.jpg
E-mail & Online Security (Phishing)
https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Phishing.jpg
https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Phishing.jpg
E-mail & Online Security (Phishing)
Secure Log-in āļŠ āļēāļŦāļĢāļāļąāđāļ§āļāđāļāļĩāļŠāđ āļēāļāļāļąMicrosoft Internet Explorer
Mozilla Firefox
Google Chrome
Secure Log-in āļŠ āļēāļŦāļĢāļāļąāđāļ§āļāđāļāļĩāļŠāđ āļēāļāļāļą
Phishing Web Site
Phishing E-mail
Phishing E-mail
Phishing E-mail
Phishing E-mail
Ransomware
āļĨāļāļąāļĐāļāļ°āļŠ āļēāļāļāļąāļāļĩāļāđāļ§āļĢāļŠāļāļŠāļĒāļą Phishing
Grammar āļŦāļ§āđāļĒāđāļāļ āļāļ§āļąāļŠāļ°āļāļāļāļāļīāđāļĒāļāļ°āļāļĒāļēāļĒāļēāļĄāļāļĒāļēāđāļāļĒāļīāļāđāđāļŦāđāđāļāļīāļāđāļāļĨāđāđāļāļ āļŦāļĢāļāļ·āļāļlink āļŦāļĢāļāļ·āļāļāļāđāļĄāļĨ āđāļāđāđāļĄāļāđāļāđāļĒāđāļŦāļĢāđāļēāļĒāļĨāļ°āđāļāļĒāļĩāļ
E-mail āļāļĩāļĄāđāļēāļāļēāļāļāļāļĢāļđāļāđāļāļą āđāļĄāđāđāļāļāđāļĨāļāļāļ āļĒāļąāđāļŠāļĄāļāđāļ
Donât be too trusting of people
Always be suspicious & alert
An e-mail with your friendâs name & info doesnât have to come from him/her
Look for signs of phishing attacks
Donât open attachments unless you expect them
Scan for viruses before opening attachments
Donât click links in e-mail. Directly type in browser using known & trusted URLs
Especially cautioned if ask for passwords, bank accounts, credit card numbers, social security numbers, etc.
Ways to Protect against Phishing
{
Phishing Attack: āđāļĢāļ·āđāļāļāđāļĨāđāļēāļāļēāļāļāļĩāļ§āļīāļ
āļāļĢāļ°āļāļēāļāļāļąāļāđāļĢāļĩāļĒāļāđāļāļĒāđāļ Minnesota
PC Security, Virus & Malware
https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Phishing_Malicious-Code.jpg
https://www.thaicert.or.th/downloads/files/info_ThaiCERT_Phishing_Malicious-Code.jpg
PC Security, Virus & Malware
{
File Sharing: āđāļĢāļ·āđāļāļāđāļĨāđāļēāļāļēāļāļāļĩāļ§āļīāļ
āļāļąāļāļĻāļķāļāļĐāļēāđāļāļāļĒāđāļĢāļēāļĄāļēāļāļīāļāļāļĩ(āļāļĩāđāļāļĒāļēāļāļĢāļđāđāļāļĒāļēāļāđāļŦāđāļ)
Virus/Malware Attack & Windows Update: āđāļĢāļ·āđāļāļāđāļĨāđāļēāļāļēāļāļāļāļāļēāļ
Chief IT Admin āļĢāļēāļĄāļēāļāļīāļāļāļĩ(āļāļĩāđāļāđāļāļāļāļđāđāļĨāļĢāļ°āļāļāļĨāđāļĄ)
Back-up Your Data: āđāļĢāļ·āđāļāļāđāļĨāđāļēāļāļēāļāļāļāļāļēāļāđāļĒāļāļ°
Software Security
Most common reason for security bugs is invalid programming assumptions that attackers will look for
Weak input checking
Buffer overflow
Integer overflow
Race condition (Time of Check / Time of Use vulnerabilities)
Running programs in new environments
Software Security
Adapted from Nicholas Hopperâs teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Feeping creaturism (Creeping featurism)
Log files that contain sensitive information
Configuration bugs
Unnecessary privileges
Monoculture
Security bypass
Software Security
Adapted from Nicholas Hopperâs teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Consider a log-in form on a web page
Example of Weak Input Checking: SQL Injection
Source code would look something like this:
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
Attacker would enter as username:
' or '1'='1
Which leads to this always-true query:
statement = "SELECT * FROM users WHERE name = '" + "' or '1'='1" + "';"
statement = "SELECT * FROM users WHERE name = '' or '1'='1';"
http://en.wikipedia.org/wiki/SQL_injection
Economy of Mechanism
Design should be small & simple
Fail-safe default
Complete mediation
Check every access to every object
Open design
Separation of privilege / Least Privilege
Secure Software Design Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)Adapted from Nicholas Hopperâs teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Least common mechanism
Minimize complexity of shared components
Psychological acceptability
If users donât buy in to security mechanism or donât understand how to use it, system is insecure
Work factor
Cost of attack should exceed resources attacker will spend
Secure Software Design Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)Adapted from Nicholas Hopperâs teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Compromise recording
If too expensive to prevent a compromise, record it
Tamper evident vs. tamperproof
Log files
Secure Software Design Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)Adapted from Nicholas Hopperâs teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271 Image source: http://www.flickr.com/photos/goobelyga/2340650133/
Defense in Depth
Multiple layers of security defense are placed throughout a system to provide redundancy in the event a security control fails
Secure the weakest link
Promote privacy
Trust no one
Secure Software Design Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)Adapted from Nicholas Hopperâs teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271 http://en.wikipedia.org/wiki/Defense_in_depth_(computing)
Modular design
Check error conditions on return values
Validate inputs (whitelist vs. blacklist)
Avoid infinite loops, memory leaks
Check for integer overflows
Language/library choices
Development processes
Secure Software Best Practices
Adapted from Nicholas Hopperâs teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Malware
Malicious software - Any code with intentional, undesirable side effects
Virus
Worm
Trojan
Spyware
Logic Bomb/Time Bomb
Backdoor/Trapdoor
Rootkit
Botnet
Malware
Virus
Propagating malware that requires user action to propagate
Infects executable files, data files with executable contents (e.g. Macro), boot sectors
Worm
Self-propagating malware
Trojan
A legitimate program with additional, hidden functionality
Malware
Spyware
Trojan that spies for & steals personal information
Logic Bomb/Time Bomb
Malware that triggers under certain conditions
Backdoor/Trapdoor
A hole left behind by malware for future access
Malware
Rogue Antispyware (Ransomware)
Software that tricks or forces users to pay before fixing (real or hoax) spyware detected
Rootkit
A stealth program designed to hide existence of certain processes or programs from detection
Botnet
A collection of Internet-connected computers that have been compromised (bots) which controller of the botnet can use to do something (e.g. do DDoS attacks)
Malware
Installed & updated antivirus, antispyware, & personal firewall
Check for known signatures
Check for improper file changes (integrity failures)
Check for generic patterns of malware (for unknown malware): âHeuristics scanâ
Firewall: Block certain network traffic in and out
Sandboxing
Network monitoring & containment
User education
Software patches, more secure protocols
Defense Against Malware
Social media spams/scams/clickjacking
Social media privacy issues
User privacy settings
Location services
Mobile device malware & other privacy risks
Stuxnet (advanced malware targeting certain countries)
Advanced persistent threats (APT) by governments & corporations against specific targets
Newer Threats
US-CERT
U.S. Computer Emergency Readiness Team
http://www.us-cert.gov/
Subscribe to alerts & news
Microsoft Security Resources
http://technet.microsoft.com/en-us/security
http://technet.microsoft.com/en-us/security/bulletin
Common Vulnerabilities & Exposures
http://cve.mitre.org/
More Information
Q & A