1. MIST 2012
Panel Discussion: “Key Challenges in
Defending Against Insider Threats”
Ruo Ando
National Institute of Information and
Communication Technology
Tokyo, Japan
2.
3. Outline: insider threat and data leakage
Information leakage is one of the most serious damages
caused by insider threat. In this talk, I will introduce some
key issues about ex-post countermeasures of information
leakage
①First, "Data lives forever" problem is introduced. Once sensitive
information is leaked over Internet, we have no effective
countermeasures to nullify it. Some topics such as advanced secret
sharing and right to be forgotten will be noted.
②Second, I will talk briefly about "Data sovereignty" to provide a logical
and technical basis for tracking spread information. PDP (provable data
possession) could be one of solutions.
Finally, I will present some actual cases about these problems.
4. Insider Threats and Information leakage
LostTape 14% Incidents by Breach Type
Stolen document
14%
Attacks from outside by hacking
is motivated for botNet, FaaS etc.
Data Leakage is one of the main
purpose of insider attack. Besides,
this kind of threat causes
retroactive disclosure.
Disposal
Document 14%
2012/11 http://www.datalossdb.org
Data lives forever:Once sensitive data is released to network,
Social Engineering it circulates forever.
And APT is sometimes
So hard to be prevented
Technically. Information leak: retroactive disclosure
Sensitive data could retrieved and retroactivated as offense.
5. Can retroactivation as offense be mitigated ?
Is ex-post countermeasure possible ?
Is it unstoppable
even if we adopt
domain seizure in
Amazon EC2 ?
DLP can protect sensitive
data sent from SNS ?
2012/08 Top threats to enterprise security
Dropbox Confirms IDC’s survey
User Email Leaks 2008 2010
– Adds Additional Trojans, Virtuses, other malware 54 78
Protection
Spyware 48 74
Hackers 41 67
Employees exposing information 52 66
Equipment misconfiguration 41 61
Application Vulnerabilities 44 59
Spam 39 58
Data stolen by trusted party 38 53
Is it possible to prevent
Insider sabotage 34 49
Uploading sensitive files ?
6. Japan’s case: information leakage
via P2P networks
2008/03/22
National Bank of 2009/04/02: Tokyo
Japan leaks
Rinkai Hospital –
Confidential insider
information
a list of 598
inpatients information
2005/06
Documents of
nuclear power
plant of Mitsubishi
was leaked.
2010/10/30 Metropolitan Police
2009/01/08: National Information- Department taking charge of
Technology Promotion Agency - a international terrorism splits a
database of Ministry of Internal Affiars confidential list over P2P
and National Patent Office networks
7. Data Sovereignty in Cloud computing era
A Position Paper on Data
Data Sovereignty :- Sovereignty: The Importance of
Geolocating Data in the Cloud
the coupling of stored data authenticity Zachary N. J. Peterson, Mark
and geographical location in the cloud Gondree, and Robert Beverly.
USENIX HotCloud 2011
However, as Cloud computing environment has
become international, securing data sovereignty
is harder and harder.
Giuseppe Ateniese, Randal C.
Technology of geolocation could be Burns, Reza Curtmola, Joseph
Herring, Lea Kissner, Zachary
cheated. PDP (Provable Data Possession) N. J. Peterson, Dawn
could be one of the solutions Xiaodong Song: Provable data
for this problem. possession at untrusted
stores. ACM CCS 2007
8. "Data lives forever" problem
• Wiki Leaks
WikiLeaks is an international organization that publishes submissions of
otherwise unavailable documents from anonymous sources and leaks.
On July 25, 2010, WikiLeaks released to The Guardian, The New York
Times, and Der Spiegel over 92,000 documentsrelated to the war in
Afghanistan between 2004 and the end of 2009.
• “Right to forget and delete”
European Commission sets out strategy to strengthen EU data protection
rules Nov 2010. “Controlling your information, having access to your data,
being able to modify or delete it – these are essential rights that have to be
guaranteed in today's digital world. “
9. P2P security
VANISH: self destructing data
Roxana Geambasu, Tadayoshi Kohno, Amit Levy, Henry M. Levy. Vanish:
Increasing Data Privacy with Self-Destructing Data. In Proceedings of the
USENIX Security Symposium, Montreal, Canada, August 2009.
Technology: Secret sharing protocol and DHT
In vanish system, shared file is disappeared from network in a fixed interval.
Bob sends {C,L} to Alice. VANISH is implemented for Vuse DHT.
{C,L}
Data, timeout Data, timeout
KN
RANDOM INDEXES (L) K2 RANDOM INDEXES (L)
K1
C=Ek(data) data=Dk(C)
10. P2P security
UNVANISH: reconstructing data
Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs
Scott Wolchok, Owen S. Hofmann, Nadia Heninger, Edward W. Felten, J.
Alex Halderman, Christopher J. Rossbach, Brent Waters, and Emmett
Witchel, Network and IT Security Conference: NDSS 2010
UNVANISH mounts sybil nodes into DHT to replicate Ek hash to
reconstruct data.
{C,L}
UNVANISH
Data, timeout Data, timeout
KN
RANDOM INDEXES (L) K2 RANDOM INDEXES (L)
K1
C=Ek(data) data=Dk(C)
11. Example:
Propagation speed
over DHT network
d if f
1 000000
1 00000
1 0000
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
nod e
12000000
10000000
8000000
6000000
4000000
2000000
Bit Torrent traffic rate of all internet 0
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
estimates
① “55%” - CableLabs
About an half of upstream traffic of CATV.
② “35%” - CacheLogic
“LIVEWIRE - File-sharing network thrives
After 5 hours,
beneath the Radar” Δ ( increasing) become
③ “60%” - documents in www.sans.edu
stable
In first 4 hours, we can
“It is estimated that more than 60%
of the traffic on obtain
the internet is peer-to-peer.” more than 4000000 peers!