Security And Privacy Cagliari 2012
Upcoming SlideShare
Loading in...5
×
 

Security And Privacy Cagliari 2012

on

  • 611 views

Lecture to PhD student summer school on security and privacy from financial industry and consumers perspectives

Lecture to PhD student summer school on security and privacy from financial industry and consumers perspectives

Statistics

Views

Total Views
611
Views on SlideShare
611
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security And Privacy Cagliari 2012 Security And Privacy Cagliari 2012 Presentation Transcript

  • Perspectives on consumers privacy and security tradeoffs Marco Morana Global Industry Committee OWASP FoundationOWASPSummer School onComputer Security &Privacy Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document27-31 August 2012 under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org
  • Do you know OWASP ? OWASP 2
  • About myself and my career journey OWASP 3
  • Privacy is one of the biggest problems in thisnew electronic age… …At the heart of the Internet culture is a force that wants to find out everything about you. And once it has found out everything about you and two hundred million others, thats a very valuable asset, and people will be tempted to trade and do commerce with thatWhat Ive Learned: Andy Grove asset. This wasnt the Former Chairman of Intel, 63, information that people Santa Clara, California were thinking of when theyhttp://www.esquire.com/features/what called this the information-ive-learned/what-ive-learned-archive age OWASP 4
  • Presentation Objective & Agenda Objective: different perspectives in regarding of privacy and the trade offs between different needs of consumers and businesses and future trends Agenda  PART I: Doing business with customers private information  PART II: Threats to consumers private information and measures to protect it  PART III: Future trends affecting data privacy OWASP 5
  • PART IDoing Business with Customer’s Private Information OWASP 6
  • Factors that Limit Personal Privacy Law Enforcement Social Networking Personal Data Privacy Targeted Marketing Taxation OWASP 7
  • Factors that Enable Personal Data Privacy Anonymity Data Privacy Laws & Controls Personal Confidentiality Data Privacy Security Controls (e.g. Encryption) OWASP 8
  • …about Privacy1. Privacy is a personal right2. There are different types of privacy, health, political, race/sex etc financial privacy is important for the avoidance of fraud, identity theft3. Privacy is traded off with different needs such as networking, business, marketing, compliance, law enforcement4. Businesses collect, process and store customers’ private and confidential information for different reasons5. Data confidentiality and privacy have similar goals6. New technologies such as social networks, online services, cloud computing challenge the notion of personal privacy7. Perspectives about privacy change with time OWASP 9
  • Private And Personal Identifiable Information Private information and Personal Identifiable Information (PII) uniquely indentify an individual. What is private and PII varies among countries, e.g.:  US SB1386: Name and SSN, Driven License No., Account /Credit/Debit Acc No + PIN  EU directive 95/46/Article 2a: personal data any information relating to an identified or identifiable person, identification number or to one or more factors specific to his physical, physiological, mental, economic, OWASP 10 cultural or social identity
  • Data Breach Notification Rules in Italy.. Legislative Decree 69/2012 (into force since June 1st 2012 implementing in Italy Directive no. 2009/136/EC): Definition of personal data breach a breach of security leading to the accidental destruction, loss, alteration, unauthorized disclosure of, or access to, personal data Procedures to deal with a personal data breach:  Shall notify the Italian Data Protection Authority (“DPA” or Garante) without undue delay (e.g. 72 hrs for ISPs);  Shall notify the subject but the notification unless the provider is able to give evidence to the DPA that it has implemented appropriate security measures  Failure or delay to notify a personal data breach to the DPA is sanctioned with a fine ranging between EUR25,000 to EUR150,000 OWASP 11
  • Trade offs Between Business and Privacy Needs Collection,  Protection of C-PII Processing of and sensitive Customers PII (C-PII) information in storage and Sensitive Info. and transmission Sharing of C-PII and  Disclosure & personal information Consent to which 3rd with 3rd parties and affiliates parties/affiliates C-PII is shared with Compliance with  Notifications to privacy laws, data customers when breach notification private data is laws and security collected and is either policies lost or compromised OWASP 12
  • Collection and Processing of PII..in case of financial institutions, PII is: Collected online and at a branch when opening bank accounts, apply for loans, run credit report, apply for credit cards, online banking Processed and stored to identify/verify customer by asking the last for digits of SSN and ACC# for example:  Over the phone for bank account balance and payments of bills  Online user validation for resetting a password/PINs  Online for authenticate a user with challenge/questions OWASP 13
  • Collection and Processing of PII Examples OWASP 14
  • Private Data Collection Examples OWASP 15
  • PART IIThreats to private information and measures to protect it OWASP 16
  • Statistical Data of Data Loss Incidents (*) Hacking and external attacks are the major cause of private data losses and increasing (32% to 61% and 53% to 75% ) NAA, SSN, DOB represent the majority of private data record last year, this year are PWD, EMA and SSN (*) Source: DataLossDb.org http://www.datalossdb. org OWASP 17
  • …In the space of one hour, my entire digitallife was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook (*) Source:How Apple and Amazon Security Flaws Led to My Epic Hacking http://www.wired.com/gadgetlab/2012/ 08/apple-amazon-mat-honan-hacking/.. all you need in addition to someone’s e-mailis a billing address and the last four digits of acredit card OWASP 18
  • Cost to Businesses for Loss of PII1. Data breach costs x data record lost: $ 222/record (*)2. Out of pocket costs x identity fraud incident: $ 631/victim/incident (**) (*) Source: 2011 Cost of a Data Breach: United States, Ponemon Institute and Symantec, March 2012 (**) Source: The 2011 Identity Fraud Survey Report by Javelin Strategy & Research by Javelin Strategy & Research http://www.identityguard.com/downloads/j avelin-2011-identity-fraud-survey-report.pdf OWASP 19
  • Security Measures And Protection of Privacy Business protect their customers private information with:  Information Security Policy: Requirements for protection of Confidentiality, Integrity and Availability (CIA) of customers private data  Data classification: Public, Internal, Confidential, PII, Restricted  Security measures:  Controls: Authentication, Entitlements, Encryption, Session Management, Auditing & Logging;  Measures: Security Audits;  Information Security and Privacy Officers OWASP 20
  • Opt out Privacy Controls: Privacy Notices FromUS Banks OWASP 21
  • Opt In Privacy Controls: Cookies & Preferences OWASP 22
  • PART IIIFuture trends affecting data privacy OWASP 23
  • Individuals’ Awareness of Privacy “Maybe Zuckerberg is right. The mores of privacy are changing, and “people don’t want complete privacy.” Teens may be the first adopters of this change, Source http://trends.myyearbook.com/2010/07/facebook-privacy-issues-not-an-issue-for-teens/ OWASP 24
  • Adoption of New Technologies And NewChallenges For Consumer’s Privacy 2017 2015 2012 2010 2007 Face 2005 Recognition Biometric Authentication Gesture 2000 Smart- Big data Recognition phones Virtual BYOD Assistants 1997 Social Cloud computing Internet of Internet Networks Location aware things Webmail applications Social TVs Mobile Payments Social Analytics OWASP 25
  • Law Enforcement vs. Individual’s Privacy Sources: https://www.eff.org OWASP 26
  • Company’s Privacy Practices AreIncreasingly Under Scrutiny OWASP 27
  • Future Privacy Legislations in EU1. EU regulation for 27 countries2. Any processed PII data for EU citizens (include IP addresses, GPS location data)3. 24 hours data breach 6. Fines up to notification 2% of company4. Mandatory security annual assessments worldwide5. EU citizens will have the turnover right to request extended (*) Source:http://www.donneespersonnelle s.fr/6-things-you-need-to-know-about- erasure of their personal data the-new-eu-privacy-framework OWASP 28
  • Open Questions Questions for consumers: 1. What are my privacy rights ? 2. How I can control my privacy ? 3. Which PII can be disclosed and to who ? 4. Who is legally liable for PII data that is lost Questions for businesses: 1. Which are the privacy rights of my customers ? 2. Which security policies protect customer’s PII in compliance with privacy laws? 3. How soon I need to inform my customers of a breach of PII and/or identity theft fraud ? 4. When customers PII can be disclosed to law enforcement ? OWASP 29