Example: Google Privacy Policy

What information is collected about you?
– Personal information like name, email address, credit card, telephone number etc. that we provide to create an account.
– Service we visit a certain a website. Use it for advertising.
– Device information: hardware model, OS, network information(IP address) etc.
– Search queries
– Who we call? For long we talk?
– Cookies
– Location information
– Applications

How is collected information used?
improve user experience (personalization)
for serving you targeted advertisements – we can set ad preferences

Who do they share it with?
with opt-in, can share with companies, individuals and organizations outside of Google.
Domain administrators and re sellers who provide user support to your organization can get certain information about you that you give to Google.
Affiliates and other trusted businesses or persons with appropriate confidentiality and security measures.
For legal reasons.

Information security
-many services use encryption
-stronger authentication(two factor)
-Other safeguards

Changes to privacy policy
-Will not reduce user rights without your consent

Facebook Privacy Policies
Do companies adhere and operate according to the privacy policy you gave consent to?
Not really, Facebook had issues and actually the US Federal Trade Commission went after it for violation of user privacy.

Privacy

Do we need privacy only for individuals?
Universities, hospitals, charities require privacy and need to protect data of people they serve or have as employees.

Threads to Privacy
-Traffic analsis
-Surveillance
-Linking and making inferences

social media, tracking of web browsing, location aware applications, sometimes we are willing parties.

Privacy Threats to Online Tracking Info
-collection of information about you – with or without your consent?
-Usage – only used for specified purpose you agreed to?
-Information retention – how long can they keep it?
-Information disclosure and sharing -disclosed to only authorized or agreed to parties?
-Privacy policy change – can information collector/holder change to a more lax policy without your agreement?
-Information security – identity and access management, monitoring, secure against various threats we discussed.

Ethical Issues

Difference between law and ethics
– individual standard vs. societal
– No external arbiter and enforcement unlike law
– Examples – What do you do when you discover a vulnerability in a commercial product? Ethical disclosure?
– Code of ethical conduct(IEEE, ACM, university)

Privacy
Definition: A user’s ability to control how data pertaining to him/her can be collected, used and shared by someone else.

Privacy is not a new problem
– people have always worried about what others(friends, enemies, governments) might know about what they do.
– Scale and magnitude at which information about us and our activities can be collected, ways in which it can be used, and shared or sold.

Privacy
– financial statements, credit card statements, banking records etc.
– Health/medical conditions
– legal matters
– biometrics
– political benefits
– school and employer records
– web browsing habits? what do we search, what do we browse? websites we visit?
– Communication(emails and calls)
– Past history(right to be forgotten)

What is not private?
Where i live? my citizenship?
i am registered to vote?
My salary(state employee because Georgia Tech is a public university)

Law, Ethics, and Privacy

Cyber crime
– data thef, identity theft, extortion etc.
Copying and distribution of digital object(software, music)
– copyright, patents, trade secrets
– how are these applicable in the context of digital/computer objects?
Privacy
– Who can collect my information, how can I control it, how could it be used etc.?

US Computer Fraud and Abuse Act(CFAA)
– Defines criminal sanctions against various types of abuse
– Unauthorized access to computer containing:
– data protected for national defense
– banking or financial information
– Unauthorized access, use, modification, destruction, disclosure of computer or information on a system operated by or on behalf of US govt.

US Computer Fraud and Abuse Act
– Accessing without permission a protected computer(any computer connected to the internet)
– Transmitting code that cause damage to computers(malware)
– Trafficking in computer passwords

Cyber Risk Assessment

– Investments in cyber security are driven by risk and how certain controls may reduce it
– Some risk will always remain
– How can risk be assessed?

Risk exposure = Prob. [Adverse security event]* Impact[ adverse event ]
Risk Leverage = Risk exposure before/without a certain control – risk exposure after the control / cost of control

Risk leverage > 1 for the control to make sense

How do we assess and reduce cyber risk?
impact
– expected loss(reputational, recovery and response, legal, loss of business etc.)
Risk management
– accept, transfer(insurance) and reduce
– reduction via technology solutions, education and awareness training

Enterprise Cyber Security Posture
– Reactive
– regulation/compliance
– customer demands
– in response to a breach(Target or Home Depot)
– In response to events

Proactive:
– champion of an organization who has influence
– board level conversation about cyber security and risk

Economic value argument:
– return on investment(RoI)
– Estimating costs and benefits is tricky
– Perception vs. data-driven risk

Values at risk
– assets, reputation etc.
Threats and attack vectors
Plan, implement and manage
– Deploy appropriate controls
– Empower people and hold them responsible
– Plan for response and remediation (do not be surprised)
– User awareness
Understand and proactively address risk

Security Planning

What needs to be secured?
Who is responsible for it?
What technical/non-technical control should be deployed?
How are people supported to do what they need to do?
What if somthing goes wrong?
Response and recovery
Accountability and consequences

What needs to be secured?
Hardware, software and services
– servers, routers, switches, laptops and mobile devices
– OS, databases, services and applications
– Data stored in databases or files
From whom?
– Remote hackers?
– Insiders?

Identify and access management(IAM)
– Credentialing, account creation and deletion
– password policies
Network and host defenses
– firewall, IDS, IPS
– Anti-virus
VPN and BYOD
Vulnerability patching
User awareness and education
– Pishing attack awareness(Phishme)

High level articulation of security objectives and goals
– legal, business or regulatory rationale
– Do’s and don’ts for users
password length
Web and email policies
Response to security events
– Address prevention, detection, response and remediation as it concerns/impact users

Cyber Security Management

Management Security
-Technical controls(authentication, access control etc.) are used to reduce the risk of attacks on valuable asset.
What assets need to be secured and from whom.

Organization Context
legal and compliance drivers for cyber cecurity
financial and health data
what technical control should be deployed?
must understand risks posed by threats
costs and benefits of security measures

Key Challenges
what assets are under risk?
What are the threats and how serious is the risk posed by them?
likelihood of successful attack and its impact

What technological solutions/controls exist to counter threats?
How can we address risk in a cost-effective manner?
cost is less than reduction in risk
How do we understand people and process aspects of cyber security management?

Sample PHP

$selecteduser = $_GET['user'];
$sql = "SELECT Username, Key FROM Key"."WHERE Username='$selecteduser'";
$rs = $db->executeQuery($sql);

What if ‘user’ is a malicious string that changes the meaning of the query?

Web browser -> Enter Username & password -> Web server -> SELECT password FROM USERS WHERE uname IS ‘smith’ -> Database

Example SQL Injection Attack
DROP TABLE USERS; –, Eliminates all user accounts, Everything after — is ignored by DB

XSFR

<form name=BillPayForm
action=http://bank.com/BillPay.php>
<input name=recipient value=badguy>
...
<script>
document.BillPayForm.submit();
</script>

cross-site scripting
– user trusts a badly implemented website
– attacker injects a script into the trusted website
– User’s browser execute attacker’s script

cross-site request forgery
– a badly implemented website trusts the user
– Attacker tricks user’s browser into issuing request
– website executes attacker’s requests

Structured Query Language(SQL)
widely used database query language
retrieve a set of records, e.g.,
SELECT * FROM Person WHERE Username=’Lee’

Web Security

Web and security vulnerabilities
cross site scripting
cross site request forgery
SQL injection

How the web works
Browser client -> url request -> server machine -> files, resources:php, servlets, jsp, script…

Cookies
Used to store state on user’s machine
if expires= NULL; this session only
GET.. cookie: name = value e.g., sessionToken = abc123

Web page contains both static and dynamic contents, e.g., JavaScript
– sent from a web site(s)
– Run on the user’s browser/machine

Web sites run applications(e.g., PHP) to generate response/page
– according to requests from a user/browser
– often communicate with back-end servers

Cross-Site Scripting(XSS)
if a website allows users to input content without controls, the attackers can insert malicious code as well
– social networking site, blogs, forums, wikis
– suppose a website echoes user-supplied data
e.g., his name, back to user on the html page

Suppose the browser sends to the site script type=”text/javascript” alert “Helloworld” /script as his “name”

A browser runs a script from a “good” site and a malicious script from a “bad” site
Malicious script can make forged requests to “good” site with user’s cookie

Basic Idea
establish session, send forged request, visit server, receive malilcious page