Security And Privacy Cagliari 2012


Published on

Lecture to PhD student summer school on security and privacy from financial industry and consumers perspectives

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security And Privacy Cagliari 2012

  1. 1. Perspectives on consumers privacy and security tradeoffs Marco Morana Global Industry Committee OWASP FoundationOWASPSummer School onComputer Security &Privacy Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document27-31 August 2012 under the terms of the GNU Free Documentation License. The OWASP Foundation
  2. 2. Do you know OWASP ? OWASP 2
  3. 3. About myself and my career journey OWASP 3
  4. 4. Privacy is one of the biggest problems in thisnew electronic age… …At the heart of the Internet culture is a force that wants to find out everything about you. And once it has found out everything about you and two hundred million others, thats a very valuable asset, and people will be tempted to trade and do commerce with thatWhat Ive Learned: Andy Grove asset. This wasnt the Former Chairman of Intel, 63, information that people Santa Clara, California were thinking of when they called this the information-ive-learned/what-ive-learned-archive age OWASP 4
  5. 5. Presentation Objective & Agenda Objective: different perspectives in regarding of privacy and the trade offs between different needs of consumers and businesses and future trends Agenda  PART I: Doing business with customers private information  PART II: Threats to consumers private information and measures to protect it  PART III: Future trends affecting data privacy OWASP 5
  6. 6. PART IDoing Business with Customer’s Private Information OWASP 6
  7. 7. Factors that Limit Personal Privacy Law Enforcement Social Networking Personal Data Privacy Targeted Marketing Taxation OWASP 7
  8. 8. Factors that Enable Personal Data Privacy Anonymity Data Privacy Laws & Controls Personal Confidentiality Data Privacy Security Controls (e.g. Encryption) OWASP 8
  9. 9. …about Privacy1. Privacy is a personal right2. There are different types of privacy, health, political, race/sex etc financial privacy is important for the avoidance of fraud, identity theft3. Privacy is traded off with different needs such as networking, business, marketing, compliance, law enforcement4. Businesses collect, process and store customers’ private and confidential information for different reasons5. Data confidentiality and privacy have similar goals6. New technologies such as social networks, online services, cloud computing challenge the notion of personal privacy7. Perspectives about privacy change with time OWASP 9
  10. 10. Private And Personal Identifiable Information Private information and Personal Identifiable Information (PII) uniquely indentify an individual. What is private and PII varies among countries, e.g.:  US SB1386: Name and SSN, Driven License No., Account /Credit/Debit Acc No + PIN  EU directive 95/46/Article 2a: personal data any information relating to an identified or identifiable person, identification number or to one or more factors specific to his physical, physiological, mental, economic, OWASP 10 cultural or social identity
  11. 11. Data Breach Notification Rules in Italy.. Legislative Decree 69/2012 (into force since June 1st 2012 implementing in Italy Directive no. 2009/136/EC): Definition of personal data breach a breach of security leading to the accidental destruction, loss, alteration, unauthorized disclosure of, or access to, personal data Procedures to deal with a personal data breach:  Shall notify the Italian Data Protection Authority (“DPA” or Garante) without undue delay (e.g. 72 hrs for ISPs);  Shall notify the subject but the notification unless the provider is able to give evidence to the DPA that it has implemented appropriate security measures  Failure or delay to notify a personal data breach to the DPA is sanctioned with a fine ranging between EUR25,000 to EUR150,000 OWASP 11
  12. 12. Trade offs Between Business and Privacy Needs Collection,  Protection of C-PII Processing of and sensitive Customers PII (C-PII) information in storage and Sensitive Info. and transmission Sharing of C-PII and  Disclosure & personal information Consent to which 3rd with 3rd parties and affiliates parties/affiliates C-PII is shared with Compliance with  Notifications to privacy laws, data customers when breach notification private data is laws and security collected and is either policies lost or compromised OWASP 12
  13. 13. Collection and Processing of case of financial institutions, PII is: Collected online and at a branch when opening bank accounts, apply for loans, run credit report, apply for credit cards, online banking Processed and stored to identify/verify customer by asking the last for digits of SSN and ACC# for example:  Over the phone for bank account balance and payments of bills  Online user validation for resetting a password/PINs  Online for authenticate a user with challenge/questions OWASP 13
  14. 14. Collection and Processing of PII Examples OWASP 14
  15. 15. Private Data Collection Examples OWASP 15
  16. 16. PART IIThreats to private information and measures to protect it OWASP 16
  17. 17. Statistical Data of Data Loss Incidents (*) Hacking and external attacks are the major cause of private data losses and increasing (32% to 61% and 53% to 75% ) NAA, SSN, DOB represent the majority of private data record last year, this year are PWD, EMA and SSN (*) Source: http://www.datalossdb. org OWASP 17
  18. 18. …In the space of one hour, my entire digitallife was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook (*) Source:How Apple and Amazon Security Flaws Led to My Epic Hacking 08/apple-amazon-mat-honan-hacking/.. all you need in addition to someone’s e-mailis a billing address and the last four digits of acredit card OWASP 18
  19. 19. Cost to Businesses for Loss of PII1. Data breach costs x data record lost: $ 222/record (*)2. Out of pocket costs x identity fraud incident: $ 631/victim/incident (**) (*) Source: 2011 Cost of a Data Breach: United States, Ponemon Institute and Symantec, March 2012 (**) Source: The 2011 Identity Fraud Survey Report by Javelin Strategy & Research by Javelin Strategy & Research avelin-2011-identity-fraud-survey-report.pdf OWASP 19
  20. 20. Security Measures And Protection of Privacy Business protect their customers private information with:  Information Security Policy: Requirements for protection of Confidentiality, Integrity and Availability (CIA) of customers private data  Data classification: Public, Internal, Confidential, PII, Restricted  Security measures:  Controls: Authentication, Entitlements, Encryption, Session Management, Auditing & Logging;  Measures: Security Audits;  Information Security and Privacy Officers OWASP 20
  21. 21. Opt out Privacy Controls: Privacy Notices FromUS Banks OWASP 21
  22. 22. Opt In Privacy Controls: Cookies & Preferences OWASP 22
  23. 23. PART IIIFuture trends affecting data privacy OWASP 23
  24. 24. Individuals’ Awareness of Privacy “Maybe Zuckerberg is right. The mores of privacy are changing, and “people don’t want complete privacy.” Teens may be the first adopters of this change, Source OWASP 24
  25. 25. Adoption of New Technologies And NewChallenges For Consumer’s Privacy 2017 2015 2012 2010 2007 Face 2005 Recognition Biometric Authentication Gesture 2000 Smart- Big data Recognition phones Virtual BYOD Assistants 1997 Social Cloud computing Internet of Internet Networks Location aware things Webmail applications Social TVs Mobile Payments Social Analytics OWASP 25
  26. 26. Law Enforcement vs. Individual’s Privacy Sources: OWASP 26
  27. 27. Company’s Privacy Practices AreIncreasingly Under Scrutiny OWASP 27
  28. 28. Future Privacy Legislations in EU1. EU regulation for 27 countries2. Any processed PII data for EU citizens (include IP addresses, GPS location data)3. 24 hours data breach 6. Fines up to notification 2% of company4. Mandatory security annual assessments worldwide5. EU citizens will have the turnover right to request extended (*) Source:http://www.donneespersonnelle erasure of their personal data the-new-eu-privacy-framework OWASP 28
  29. 29. Open Questions Questions for consumers: 1. What are my privacy rights ? 2. How I can control my privacy ? 3. Which PII can be disclosed and to who ? 4. Who is legally liable for PII data that is lost Questions for businesses: 1. Which are the privacy rights of my customers ? 2. Which security policies protect customer’s PII in compliance with privacy laws? 3. How soon I need to inform my customers of a breach of PII and/or identity theft fraud ? 4. When customers PII can be disclosed to law enforcement ? OWASP 29