Presentation is loading. Please wait.

Presentation is loading. Please wait.

Confidentiality (slides courtesy of Danny Lungstrom and Senthil Somasundaram)

Published byDylan Cannon Modified over 8 years ago

Similar presentations

Presentation on theme: "Confidentiality (slides courtesy of Danny Lungstrom and Senthil Somasundaram)"— Presentation transcript:

1 Confidentiality (slides courtesy of Danny Lungstrom and Senthil Somasundaram)

2 CIA Triad Confidentiality Availability Integrity Secure Ref: Security In Computing - Charles Pfleeger

3 Threats to Confidentiality  Access to confidential information by any unauthorized person  Intercepted data transfers  Physical loss of data  Privileged access of confidential information by employees  Social engineered methods to gain confidential information  Unauthorized access to physical records  Transfer of confidential information to unauthorized third parties  Compromised machine where attacker is able to access data thought to be secure

4 Confidentiality Agreements  Strict access controls are crucial to protecting the confidential information  Those who should have access to the confidential information should be clearly defined –These people must sign a very clear confidentiality agreement –Should understand importance of keeping the information private

5 Financial Importance  According to Computer Security Institute's 6 th “Computer Crime and Security Survey”  “the most serious financial losses occurred through theft of proprietary information”  34 respondents reported losses of $151,230,100  $4.5 million per company in 1 year

6 Trade Secrets  No registration/approval or standard procedure  Quick and easy  Limited protection –Not protected against reverse engineering or obtaining the secret by “honest” means

7 Trade Secrets (2)  Why trade secrets?  How to protect –Enforce confidentiality agreements –Label all information as “Confidential” for the courts  How long do trade secrets remain secret? –Average is 4 to 5 years (decreasing)

8 Best Kept Trade Secrets  Coca-cola –Coca-Cola decided to keep its formula secret, decades ago! –Only known to a few people within the company –Stored in the vault of a bank in Atlanta –The few that know the formula have signed very explicit confidentiality agreements –Rumor has it, those that know the formula are not allowed to travel together –If Coca-cola instead patented the syrup formula, everyone could be making it today  KFC

9 Phishing Scams  Tricking people into providing malicious users with their private/financial information  Financial losses to consumers: –$500 million to $2.4 billion per year depending on source –15 percent of people that have visited a spoofed website have parted with private/personal data, much of the time including credit card, checking account, and social security numbers

10 Phishing example? Date: Tue, 20 Sep 2005 03:06:03 -0700 (PDT) From: Countrywide countrywide@email.countrywide.com To: tjs@cert.org Subject: Important Customer Correspondence [Image: "height="] [Image: "Countrywide - Full Speectrum Lending Division"] [Image: "1-866-227-4118"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "If you could use some extra cash, Countrywide could make it easy."] [Image: "Click Here to Get Started"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "height="] Dear Timothy, We can help customers get cash from the available equity they've built up in their homes by refinancing their mortgages ? and with the trend in rising home values, we estimate your home's equity may have increased to as much as $43,867.00. (much more…) Phone number appears legit, current mortgage holder Note typographical errors (Speectrum, empty images, etc.) Big payoff offered Closer look: embedded domains doesn’t match from domain (m0.net, r.delivery.net, not countrywide.com, all same ISP (Digital Impact))

11 Legal Requirements  HIPAA  Gramm-Leach Bliley  FERPA  Confidentiality/Non-disclosure Agreements

12 Giant Eagle Example  Giant Eagle's Loyalty Program –Nearly 4 million active users in 2005 –User's purchases at both the grocery store and gas station are knowingly monitored –Can even link the card to fuel perks, enable check cashing and video rental service –Also use card at 4,000 hotels, Avis, Hertz, Alamo, numerous local retailers, sporting events, museums, zoos, ballets, operas, etc.

13 Giant Eagle (2)  From the privacy policy: –Giant Eagle does not share your personal information or purchase information with anyone except:  As necessary to enable us to offer you savings on products or services; or  As necessary to complete a transaction initiated by you through the use of your card;

14 Writing Policies  Ask numerous questions before beginning –What information is confidential? –Who should be allowed to access this information? –How long is it to remain confidential? –What type of security policy is needed? –What level of confidentiality is necessary for the given organization?

15 Chinese Wall Policy  Conflicts of interest –Person in one company having access to confidential information in a competing company  Based on three levels for abstract groups –Objects –Company Groups –Conflict Classes  Company groups with competing interests

16 Chinese Wall Policy (2)  Access control policy –Individual may access any information, given that (s)he has never accessed any information from another company in the same conflict class –So, once individual has accessed any object in a given conflict group, they are from then on restricted to only that company group within the conflict group, the rest are off-limits

17 Writing the Policy  Contents should include: –Obligation of confidentiality –Restrictions on the use of confidential information –Limitations on access to the confidential information –Explicit notification as to what is confidential

18 Implementing Policy  Host lockdown  Database lockdown  Encryption  Backup controls  Email  Network lockdown  Device controls  Personnel controls

Download ppt "Confidentiality (slides courtesy of Danny Lungstrom and Senthil Somasundaram)"

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Types of Credit Consumer Loan One time loan that the borrower pays back in a specified period of time with a pre-determined payment schedule Home mortgages,

Types of Credit Consumer Loan One time loan that the borrower pays back in a specified period of time with a pre-determined payment schedule Home mortgages,
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Section 22.1.

Section 22.1.
Online Holiday Shopping Brings Great Deals – and Fraud This lesson is part of the iKeepCurrent TM Program, provided by iKeepSafe TM.

Online Holiday Shopping Brings Great Deals – and Fraud This lesson is part of the iKeepCurrent TM Program, provided by iKeepSafe TM.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
National Association of Student Financial Aid Administrators The following is a presentation prepared for NASFAA’s 2007 Conference in Washington, DC July.

National Association of Student Financial Aid Administrators The following is a presentation prepared for NASFAA’s 2007 Conference in Washington, DC July.
BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.

BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
8 Mistakes That Expose You to Online Fraud to Online Fraud.

8 Mistakes That Expose You to Online Fraud to Online Fraud.
1.7.2.G1 Electronic/Online Banking & Bill Pay Take Charge of Your Finances.

1.7.2.G1 Electronic/Online Banking & Bill Pay Take Charge of Your Finances.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
22 November 2010. Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.

22 November Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
“Electronic Payment System”

“Electronic Payment System”
1 Email and DNS Hacking. Overview Email Hacking - Technology - Attacks - Phishing/Spearphishing/Whaling DNS Hacking - Technology - Attacks - Flux 2.

1 and DNS Hacking. Overview Hacking - Technology - Attacks - Phishing/Spearphishing/Whaling DNS Hacking - Technology - Attacks - Flux 2.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.

Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
Confidentiality Information Assurance Policy (95-803) Danny Lungstrom Senthil Somasundaram 03/27/2006.

Confidentiality Information Assurance Policy (95-803) Danny Lungstrom Senthil Somasundaram 03/27/2006.

Similar presentations

Ads by Google