bill's blog

Just another WordPress weblog

Browsing Posts tagged confidentiality

When working in IT one needs to have a game plan… a road map so to speak with regard to fixing problems. One needs to understand what is happening and look at the problem from a number of different perspectives (Our servers’ hard drives are filling at random intervals… it’s got to be a server problem). One needs to understand what is causing the problem… more often that not… What’s changed in the environment? (Well we installed the new version of Firefox onto everyone’s machine yesterday!) Then how to go about fixing the problem? Remove Firefox from everyone’s machine? But wait… problems within IT often aren’t that straight forward… often times one cannot address the problem directly… “We need to use Firefox because our WebApp requires it” BUT wait… it’s this feature that is causing the problem! “If we turn off that particular feature it will allow most of us to use Firefox although some users could still have other problems”. We’ve provided a fix for the greater good… but is it really a fix? It depends!

Having a game plan as to how you are going to attack the problem and sticking with the game plan can make the difference… finding a workable solution! Understanding what you are looking for (and that can include data that you don’t know is there) and why can only help to keep you focused. The game plan isn’t always the same…certainly the rules are different if you’re working in a corporate environment verses a government organization. They can be different depending on whether it’s a criminal matter. You as the technical expert need to understand that the suspect has rights that cannot be infringed upon or you may find that all your hard work is inadmissible in court. Make sure you have the company’s permission, in writing, before you start poking around on other employees’ computers. Know who is authorized to give the OK to begin your work. Don’t start the work until you have everything in place.

Be Professional! Stick to what you were hired to do! It doesn’t matter whether you’re a salaried employee or a consultant! Be objective! Don’t form opinions until you’ve done your homework. Forming opinions prior to starting your work could lead you down the wrong path and waste valuable time. Keep your mouth shut… you never know what you’re going to find… Confidentiality is often equated to trust. In IT we often have more access to information than our bosses! Don’t sneak a peak and their salary information. You may not like what you find! If people can’t trust you, you’ll find yourself unemployed.

We as network administrators need to understand that we provide a service both to the companies we work for and the end users we serve. Without them we would find ourselves unemployed. IT is a service organization and as such, end users are our customers. We must understand that their needs sometimes come before our own. Sometimes this dedication includes giving of ourselves and our family in terms of the many hours that we will miss because a server is down. Fortunately we can prepare ourselves and lower the risk of downtime (and time away from home) with continued education.

Know the basics!

Confidentiality, Integrity and Availability… the foundation of everything we do. While confidentiality didn’t play out this week, Integrity and availability certain did. I spent most of the past week (on the clock and off) getting an image database online. A number of things went wrong. From an integrity point of view, we had a database that went south. It contained a record of every image the company had captured in the last 10 years. Backups proved to be too old to be of use (though as a second option something to consider). Long story short, we were able to get the database back online BUT there was corruption that needed to be addressed. This is where dedication comes into play. It would be too easy to give up on the database recovery efforts. We did have backups (though not current). Piecing together various databases proved to be the answers. While not the most elegant method it did get the database online and intact. Additionally, many hours were put into the recreation of the database to shorten the time the users were without the database. Thus availability comes into place. The game plan to pull data from various backups and stitch them together was going to take time. One must balance your own time with that of the greater good. And thus this paper was late but my end users got their data sooner rather than later.

Know the Policy!

IT is about making sure that people can work. Everyone! Sometime one individual can bring down a network. Just take a look at any virus. One person writes and distributes the code… the rest of the world suffers. IT polices are there to protect everyone both the end user AND IT administrators. So what goes into IT policies?

1. Clear understandings – This pertains to everyone in the organization. The policies are written so that everyone in the organization knows what they can and can’t do. Does the company allow external USB thumb drives? Are smart phones allowed? Who is allowed to have smart phones? Password sharing and ramifications? There is a whole plethora of things that should be covered.

2. Emergency situations – What are the procedures or actions to be taken during an emergency? What should be done? Who should be informed? When is a Disaster Recovery plan implemented?

3. Access – Who should have access to which data? AND where does one go to get access they have. What are the steps to be taken?

One thing to keep in mind is that the above questions are distributed to everyone within the organization.

Education!

Without continued education we as IT professionals would go the way of the dinosaur, though perhaps not as dramatically. IT changes rapidly. If one were to ask about virtual machines 5 years ago, no one would understand what we are talking about. More and more IT professionals are asked to take on technologies in a production environment and to support them. While reading, toying, trial and error can bring you most of the way… formal training is needed to support these advance technologies.

IT is about putting your heart and soul into your work. One must have the desire and drive to succeed in this industry. Only a select few can truly excel here!

CIA

There are many things in daily life that depend on something to work. A car needs gas. A light bulb needs electricity. And we all need air to breathe. Computers can be simple like a calculator or more complex like the Cray super-computer. Most of our computing needs usually fall somewhere between the two. Most of us rely on the Internet on a daily basis, whether it is for checking the latest sports scores or researching term papers. What most people don’t think about is what’s involved with protecting the resources out on the Internet.

In computing terms CIA stands for:

Confidentiality
Integrity
Availability

These three things make up the basic stepping-stones when it comes to securing data stored on a shared resource (of which the Internet is). Without these three things the Internet would be useless. Let’s take a look for example at an online banking operation. How do these three objects relate to its operation?

Confidentiality is about making sure data is only accessed by individuals that have been granted permission to access it. (Keeping data Private). In the online banking scenario, many banks (and other security minded websites) provide an image that is displayed after you enter your user ID. This image is selected by you when setting up you online account. If you don’t see your image then you might think twice about entering your password. Many phishers are adept at making their sites look authentic. Underpinning the goal of confidentiality are authentication methods like user-IDs and passwords; that uniquely identify a data system’s users (Miami.edu, 2006). Ultimately, one needs to insure that not only are you providing the right credentials to access the data but that the resource is actually ‘who’ you think it is!

One other area that needs to be examined with regard to confidentiality is the use of secure transmissions. HTTP transmits data in clear text. This is problematic in two areas:

  1. Passing of your credentials in the clear. This is especially troublesome as any one that can sniff the network could grab those credentials and use it to manipulate your funds.
  2. In terms of privacy, if encryption is not used during the transfer of data anyone sniffing the network can look into your private records. Again this is something that is not desirable.

SSL goes a long way to providing this security. SSL (or Secure Socket Layer) enables the data that you pass between the bank and your browser to be encrypted.

It terms of Integrity, this is making sure that the data remains intact and changes to the data can only be made by authorized personnel. There is the notion that an asset should be trusted; that is, there is an expectation that an asset will only be modified in appropriate ways by appropriate people (purdue.edu, 2004). Data is only useful if it can be relied upon as accurate. System administrators need to insure that the data has not been tampered with. Accidental or intentional manipulate of data is a very bad thing. This is where things such as ACLs (or Access Control Lists) and other permission models come into play. ACLs can be used to control access to file-systems or more importantly databases.

In addition to who has access to the data one needs to check that the data that is being captured is accurate. Error checking must be an intracle part of data entry (garbage in… garbage out). Without this functionality, one could easily see a situation where an online banking user could pay a bill with funds that they don’t have (or vice versa… they want to pay a bill and the bank’s data is not currently reflecting yesterday’s deposit). There is another aspect on integrity that needs to be discussed and that is the validity of the data should something actually happen to it. Accidents happen, whether on purpose or not. Ultimately, what is of utmost importance is that the data can be restored back to its trusted state.

Availability is making sure that the data remains accessible. Data is no good if you can’t get at it. This is the first thing that network/system administrators learn. Your servers need to stay up all the time. In the banking industry, because this data needs to be accessed whenever the customer needs access, system administrators need to this in terms of high availability. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades (Wikipedia.org, 2009). In today’s fast paced world of Internet banking, banks without this would soon find that if its customers were unable to get to their money, they would be without customers.

Computer/network security is a moving target. Vectors of attack change on a daily basis. One can only plan their defenses based on the known. What information do we have today? However, using the above-mentioned criteria, network administrators can apply what is known about attacks, and how valuable their data is to properly plan defenses for the future.

Resources:

Purdue University (2004, Feb. 23), RASC: Confidentiality, Integrity and Availability (CIA), retrieved on January 19, 2009 from www.itap.purdue.edu/security/files/documents/RASCCIAv13.pdf

Unknown, (2006, April 24), Confidentiality, Integrity, Availability (CIA), retrieved on January 19, 2009 from http://privacy.med.miami.edu/glossary/xd_confidentiality_integrity_availability.htm

Various, (2009, January 20), Information security, retrieved on January 19, 2009 from, http://en.wikipedia.org/wiki/Information_security#Integrity

Public-key cryptography or asymmetric cryptography, is a form of cryptography in which one key is used to encrypt your data and a different key is used to decrypt it. The keys set is broken down into a public key and a private key. The private key is always kept a secret and is never distributed. The Public key as its name implies can be freely distributed. The keys are related mathematically, but one can not derived from the private key from the public one and vice versa. Public-key cryptography addresses two real issues:

1.    Confidentiality
2.    Non-repudiation

In the first case, individuals wanting to transmit confidential data can encrypt the data with the recipient’s public key. Data encrypted with this key can only be decrypted with the corresponding private key. Hopefully, the owner has properly secured their key.  The data in this scenario is actually encrypted! The only problem is that you need to have the public key for every individual you wish to send encrypted data to.

In the second case, individuals wanting to prove that the data in question was actually sent by them would sign the message with their private key. Then anyone who is in possession of the sender’s public key can verify that data was sent by the individual claiming to be the owner. In addition, the recipient can verify that the data has not been tampered with (proving authenticity).  It is interesting to note that the data signed by the individual’s private key is NOT encrypted.  The data being sent is hashed and than the hash is signed with the sender’s private key.

The main problem with this form of cryptography is that one needs to get access to the public key.  Additionally, one must trust that the key is truly from the actual individual claiming ownership. Trust is everything here! In practice there are two ways to deal with this:

1.    Public-Key Infrastructure (PKI)
2.    “Web of Trust”

Both methods rely on the use of a trusted third party.

Public-Key Infrastructure (PKI) relies on the use of a more formalized method of a Certificate Authorities (or CA). These certificate authorities guarantee the ownership of the key pairs. Some of the larger well-known CAs are Thawte, Verisign, Entrust, DigiCert and GoDaddy. These Certificate Authorities provide various levels of security and assurances. It is generally believe that these Certificate Authorities can and should be trusted. Many operating systems vendors (Microsoft, Apple, etc) bundle the CA’s Root Certificates along with their offerings. This makes the process much easier on the end user. It should be noted that any organization can become it’s own Certificate Authority.  In this case, all hosts/individuals looking to trust/use certificates created by the CA must have the its root certificates installed.

The other way to ensure authenticity of keys is through PGP’s “Web of Trust”. In this method anyone can generate a key. Again the problem is a matter of trust.  If you know the individual that the key belongs to is easy to trust the key, BUT what if you never met the individual. Well one way to solve this problem is the ‘six degrees for separation’. Six degrees of separation refers to the idea that, if a person is one step away from each person they know and two steps away from each person who is known by one of the people they know, then everyone is an average of six “steps” away from each person on Earth (wikipedia.org, 2008). This being said, surely we can find someone, who knows someone, who knows the person we’re looking for! The Web of Trust consists of individuals that sign the keys of other individuals that they know and trust. For example:

Bill trusts Joe AND Joe trusts Lucas THEN Bill can trust Lucas.

This may is a bit over exaggerated but the idea is that if I know and trust someone then I can trust the people they know and trust. Extreme care is needed not to turn the ‘Web of Trust’ into a modern day version of Facebook were casual acquaintances are simply accepted at face value. Individuals need to be scrutinized and vetted out.

Resources:

Various, (2008, November 22), Six degrees of separation, Retrieved on December 3, 2008 from http://en.wikipedia.org/wiki/six_degrees_of_separation