Cyberspace : Privacy and Security Issues

Transcription

1 Cyberspace : Privacy and Security Issues Chandan Mazumdar Professor, Dept. of Computer Sc. & Engg Coordinator, Centre for Distributed Computing Jadavpur University November 4, 2017

2 Agenda Cyberspace Privacy Security Cyberspace Stakeholders, Assets, Security Controls Conclusion 2

3 Different spaces of human activity Land space Sea space Air space Deep Sea space Outer space Cyber space The last space is truly virtual

4 The Present Scenario of cyber space IT is all pervasive World Wide Web Convergence of Technologies and Applications Progressive dependence on IT for strategic, tactical end result Proliferation of E-Business & E-Governance

5 Primary Assets of Organizations Business Processes and Activities Information Intangible Assets like Reputation Today s organizations are distributed in nature Both processes and information are distributed

6 Reasons of Distributing Geographically distributed environment Speed up Resource sharing Fault tolerance

7 Value of Data Financial Technical Business Strategic Privacy There is motivation to steal or tamper data There is motivation to block legitimate access to data or service

8 Issues of Privacy Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual s identity, either alone or when combined with other information that is linked or linkable to a specific individual. The issue of privacy arises when a person shares PII with any service provider.

9 Privacy terminologies Processing: Operation or set of operations performed upon PII that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of PII. Data Actions: System operations that process PII. Problematic Data Action: A data action that causes an adverse effect, or problem, for individuals. Privacy control: The administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and manage privacy risks.

10 Privacy Concerns Unauthorized access of PII embarrassment or other emotional distress from the unauthorized release of information, economic loss from identity theft, or physical or psychological harm from stalking. Processing of PII Loss of Trust Economic Loss Discrimination Stigmatization, Power imbalance Loss of self determination Loss of autonomy, Loss of liberty, Exclusion, Physical harm

11 Fair Information Practice Principles Access and Amendment by Individuals Accountability Authority of processing PII Minimization of PII requirement and storage Data Quality and Integrity Individual Consent and Participation Purpose specification and Use limitation Security of PII administrative, technical and physical safeguards Transparency of PII policies and practises

12 Terminologies -- Concerns Vulnerability An inherent weakness in the design, configuration, or implementation of a network or system that renders it susceptible to a threat Threat Anything that can disrupt the operation, functioning, integrity, or availability of a network or system Threats exploit vulnerabilities Threats may be internal or external Security Concern Each threat-vulnerability pair represents a security concern

13 Terminologies Security Parameters Confidentiality Important data must not be accessible to unauthorized persons Integrity Data consistency should never be compromised. All modifications must be done using authorized means by authorized agents only Availability The Legitimate users must have access to the data or service when they need

14 Terminologies Methods Authentication Process of proving the identity of the agent performing a transaction / of the source of data Authorization Process of granting permission to some agent(s) for performing some action(s) on some object(s) Non-repudiation Establishing accountability of the originator or recipient of a communication or action

15 Terminologies Misc. Trusted System A system which can be verified to implement a given security policy Intruder An agent who gains, or attempts to gain unauthorized access to a computer system or to gain unauthorized privileges on that system Auditing Process of retaining and using the sequence of data to prove the actions performed by agents in a computer system

16 exploit Threats Vulnerabilities Protect against increase increase expose Security Controls reduce Security Risks Assets met by indicate increase have Security Requirements indicate Asset Values and Potential Impacts

17 Difficulty in Security Design Functional Correctness Program satisfies specification For reasonable input, get reasonable output System Security Program properties are preserved in the face of attack For unreasonable input, output not completely disastrous Main difference Active interference from adversary Refinement techniques may fail More functionality can be worse

18 Security in Enterprises System Model Adversary Model Identify Security Properties Ensure that the properties are preserved under attack Result No absolute security Security means: Under given assumptions about the system, no attack of a given form will destroy specified properties

19 Building Blocks of Security Access Security Controlling access to individual systems and networks Communications Security Providing confidentiality, integrity and authenticity to data in transit Storage Security Controlling access to data or programs in store Application Security Controlling access to Application Programs

20 Security Measures Prevention? Reduction? Detection? Repression? Correction? Evaluation?

21 Problems To determine how much is too much, so that we can implement appropriate security measures to build adequate confidence and trust We want a powerful logic for implementing or not implementing a security measure

22 RISK MANAGEMENT High Probability Low Impact Contain & Control Ignore Prevent Insurance & Back-up Plan High Impact Low Probability

23 Difference in Approach In Information System Design, we look for the functional properties the need is correctness and liveness on the face of known inputs and mistakes In IS Security Design, we should look for the safety and protection of assets on the face of unknown malicious activity

24 Nature of Cyber Space Cyberspace is a virtual environment It does not exist in any physical form It is a complex environment or space resulting from the emergence of the Internet Includes the people, organizations, and activities on all sorts of technology devices and networks that are connected to Internet 24

25 Relationships between Security Domains 25

26 Stakeholders in Cyber Space The Cyberspace belongs to no one; everyone can participate and have a stake in it Stakeholders in Cyberspace are categorized as Consumers Persons and Organizations Providers Organizations and Persons 26

27 Assets Personal Online Identity, Virtual references, Profiles, Virtual Currency, Organizational URL, Website Information, Online Brand, Intellectual Property, Business Plans, Strategies,

28 Threats Threats to personal assets Personal identity theft, denial of virtual activities, unauthorized access to online financial information and currency, Endpoint attacks, Threats to Organizational assets Website defacement, Denial of Access, Privacy breach, Threats to National Security Data, Large Scale Infrastructure Attacks, Threat agents are individuals or organizations with specific motives and capabilities

29 Attacks From Private Networks From the Internet

30 Roles of Stakeholders Individuals General users, Buyers Seller, Bloggers and content contributors, Members of organizations, Providers Information Providers, Goods and Service delivery, File and Message delivery, Responsibility of Good citizens and copporates

31 Consumer responsibilities The consumer should learn and understand Security and Privacy Policies of the site and applications Security and Privacy risks involved while using a site or application Manage personal privacy issues Manage online identities Monitor and report suspicious activities / incidents As buyer/seller, understand the authenticity of online marketplace and its security and privacy policies As blogger or content contributor, follow the restrictions provided by the IT Act As member of an organization, learn and practice the corporate security and privacy policy and his authorities

32 Corporate responsibilities Manage Information Security Risks Address security requirements for web-hosting and other cyber application services Provide security guidances

33 Cyber Security Controls Application level controls Server protection End-user Controls Controls against Social Engineering Attacks Cyber Security Readiness Information Sharing and Coordination

34 Conclusion Whether we want or not, all of us have to live in the Cyber world There are security and privacy issues in the Cyber world Every individual should have the basic ideas of these issues to protect him / her from crimes in the cyberspace by playing responsible roles Corporates and government agencies also should play responsible roles

35 THANK YOU