Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building World Class Security Products with Privacy by Design

810 views

Published on

VeriClouds developed one of the world's largest databases of breached credentials and sensitive data gathered from the Dark Web that operates to promote security and safety for the true owners or persons entitled to the data. Thoughtful choices were made at every step to make sure that a database of more than 9 billion stolen credentials could never be used as a weapon against an organizations executives, privileged users or customers. In this talk, Steve shares how VeriClouds' privacy by design philosophy helped to navigate the legal landscape while ensuring compliance with regulatory guidelines such as GDPR and NIST.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Building World Class Security Products with Privacy by Design

  1. 1. ©2018 AppBugs, Inc. All Rights Reserved. Building World Class Security Products with Privacy by Design Steve Tout CEO VeriClouds @stevetout
  2. 2. ©2018 AppBugs, Inc. All Rights Reserved. All information contained in this presentation and all information provided by the speaker is for informational purposes only. Neither VeriClouds nor the speaker is an attorney and, as such, no advice in this presentation is intended to be — or should be considered to be — legal advice.
  3. 3. ©2018 AppBugs, Inc. All Rights Reserved. THE BIG IDEA Identity theft and account takeover fraud cost consumers $21 billion in 2017. Cyber crime damage costs to hit $6 trillion annually by 2021. Large part of the problem is the billions of credential data sets available for sale on the dark web and online. GOVERNMENTS ARE NOT AS SAFE AS THEY SHOULD BE. THINK OPM. COMPANIES ARE NOT AS SAFE AS THEY COULD BE. THINK YAHOO. TODAY’S SECURITY IS NOT SECURE. THINK EQUIFAX.
  4. 4. ©2018 AppBugs, Inc. All Rights Reserved. We wanted to build something different •We are all victims now •It’s not enough to ask HaveIBeenPwned? •How at risk are my users and is my organization?
  5. 5. ©2018 AppBugs, Inc. All Rights Reserved. Credential analytics • Collect • Detect • Protect 9 billion breached credentials Toxic Waste or Threat Intelligence?
  6. 6. ©2018 AppBugs, Inc. All Rights Reserved. Privacy by design 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the default setting 3. Privacy embedded into Design 4. Full Functionality – Positive-Sum, not Zero Sum 5. End-to-End Security – Full Lifecycle Protection 6. Visibility and Transparency 7. Respect for User Privacy – Keep it User-Centric The 7 Foundational Principles of Privacy by Design Dennedy, Fox, & Finneran (2014) The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value.
  7. 7. ©2018 AppBugs, Inc. All Rights Reserved. Data masking and encryption
  8. 8. ©2018 AppBugs, Inc. All Rights Reserved. NIST SP 800-63B • Passwords obtained from previous breach corpuses. • Dictionary words. • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’). • Context specific words, such as the name of the service, the username, and derivatives thereof. Recently published NIST (National Institute of Standards and Technology) Digital Identity Guidelines recommends a list of important verification steps when updating the password for a given account. Specifically, that verifiers SHALL compare the prospective secret (i.e., the account password) against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include (but is not limited to):
  9. 9. ©2018 AppBugs, Inc. All Rights Reserved. Obtain Password Perform Hash on Password Modify Hashed Password Transmit Modified Password Search Modified Password MATCH? Transmit Identified Password Provide Notification Receive Identified Password Compare Identified Password to Password MATCH? Provide Notification Receive Modified Password NO YES YES NO PROVISION OF RISK INFORMATION ASSOCIATED WITH COMPROMISED ACCOUNTS Patent Pending Author: Rui Wang, Ph.D. Published Date: 07/05/2018
  10. 10. ©2018 AppBugs, Inc. All Rights Reserved. Hardware enforced encryption Enhances the privacy of sensitive credential data at the design level • hardware enforced crypto boundary with SGX Helps defend against internal and external attackers • malware running on the host machine • malicious cloud providers • rogue employees Credential data are totally UNUSABLE if they are dumped • data have been sealed/encrypted by SGX • data can only be used on the SGX-enabled CPU Making stolen credentials of online accounts and blockchain identities UNUSABLE and UNHACKABLE Hardware enforced encryption (SGX) hosted with cloud scale economics
  11. 11. ©2018 AppBugs, Inc. All Rights Reserved. Is VeriClouds breaking any laws? • Criminal intent is a necessary element of all criminal liability. Without the requisite criminal intent, VeriClouds does not and cannot commit any crimes. • VeriClouds operates in the open and prides itself on transparency and disclosure. Unlike criminal (or even dishonest) organizations, its officers and employees each have long histories of employment and experience in the security-research industry. • RCW 9A.90.030(10). VeriClouds services are used “primarily to promote security and safety.” The ability to monitor for compromised credentials and to notify individuals when their credentials have been leaked helps prevent additional security breaches and lowers risk. There is unlikely to be a credible argument that VeriClouds engages in something other than white hat security research.
  12. 12. ©2018 AppBugs, Inc. All Rights Reserved. Satisfying GDPR regulations • for the performance of a contract or legal obligation; • to protect the vital interests of the data subject; • for a task in the public interest; • or where processing is necessary for the legitimate interests of the controller. According to GDPR Article 6, personal information collection may proceed for the following purposes: https://www.kuppingercole.com/blog/tolbert/will-your- security-solutions-violate-gdpr
  13. 13. ©2018 AppBugs, Inc. All Rights Reserved. Summary • Make privacy by design a first principle • Be proactive, not reactive, about user privacy • Anonymize data wherever possible • Keep master clear stores physically separated from production environments • Check with vendors about what information they collect and how it is treated
  14. 14. ©2018 AppBugs, Inc. All Rights Reserved. Thank you! @stevetout For more information visit www.vericlouds.com

×