What is the unauthorized disclosure of information?

Confidentiality tests

Confidentiality tests determine if unauthorized disclosure is possible. When you perform confidentiality tests, you are trying to determine if data are disclosed to people that they are not intended for. Before you can perform confidentiality testing, you have to understand a bit about confidentiality risks and vulnerabilities. Some of the ways that confidentiality can be lost are:

Data traveling in plaintext over communications lines (vulnerable to sniffing)

Weak passwords compromised (using password crackers)

Papers left on printers (can be read by unauthorized individuals)

Inadvertently publishing sensitive information on publicly accessible Web sites

Shoulder surfing

Unauthorized intruders

System authorizations and permissions incorrectly configured (allowing unauthorized roles to view data)

Confidentiality tests look to ensure that authentication and encryption mechanisms work according to the security requirements. Proper authentication helps ensure that only the authorized individuals can use the system and view the data. It’s important to ensure that authentication and encryption mechanisms are not only implemented, but that they have safeguards built around the controls themselves from being sabotaged.

If it appears that “shoulder surfing” is a risk, then security assessors should report that on the Security Assessment Report so that the system owner and ISSO can work on correcting it. If you have reason to believe social engineering (tricking a user into revealing sensitive information to unauthorized individuals) is a risk, security assessors may want to recommend addressing social engineering during annual security training.

If password files exist, you may want to perform a test to ensure that the passwords are properly encrypted using a salted hash to prevent discovery using a brute-force dictionary attack. Security assessors may also want to verify that the permissions on the password files are set correctly and are not writeable to the world. Last, passwords should always be created using a salted hash and the salt should never be reused. A short list of tools for testing the security of passwords appears later in the section on “Security testing tools.”

If VPNs are a part of the system that is being tested, the assessors will need to devise some tests to ensure that VPNs have been properly configured and cannot be penetrated by unauthorized users. Assessors should describe in the test report whether the VPNs in use by the system are secure remote access VPNs (used by remote users) or end-to-end VPNs that encrypt all traffic that goes between designated sites. VPNs can be configured to pass packets in tunnel mode, transport mode, or both. Which modes does your security policy require? Assessors should make sure that VPNs are configured in accordance with that system’s security policy.

Confidentiality problems that you’ll want to check for include:

Passwords that do not comply with the security policy

Authentication mechanisms that are not properly configured

Use of encryption algorithms that do not comply with the security policy

Correct configurations of encryption products (VPNs, PKI, etc.)

Implementations that do not produce logging capabilities (to review who has viewed data).

Confidentiality

Confidentiality protects sensitive information from unauthorized disclosure or intelligible interception. Cryptography and access control are used to protect confidentiality. The effort applied to protecting confidentiality depends on the sensitivity of the information and the likelihood of it being observed or intercepted.

Damage & Defense…

Network encryption can be applied at any level in the protocol stack. Applications can provide end-to-end encryption, but each application must be adapted to provide this service. Encryption at the transport layer is used frequently today. Virtual private networks (VPNs) can be used to establish secure channels of communication between two sites or between an end user and a site. (VPNs are covered in more detail in Chapter 5.) Encryption can be used at the OSI data-link layer, but doesn’t scale easily; every networking device in the communication pathway would have to participate in the encryption scheme. Datalink layer encryption is making a comeback in the area of wireless security, such as in IEEE 802.11. Physical security, meanwhile, is used to prevent unauthorized access to network ports or equipment rooms. One of the risks at the physical level is violation of access control through the attachment of promiscuous packet capture devices to the network, particularly with the widespread use of open source tools such as Ethereal (www.ethereal.com) and tcpdump (www.tcpdump.org) that permits nearly any host to become a packet decoder.

Confidentiality

Confidentiality seeks to prevent the unauthorized disclosure of information: it keeps data secret. In other words, confidentiality seeks to prevent unauthorized read access to data. An example of a confidentiality attack would be the theft of Personally Identifiable Information (PII), such as credit card information.

Data must only be accessible to users who have the clearance, formal access approval, and the need to know. Many nations share the desire to keep their national security information secret and accomplish this by ensuring that confidentiality controls are in place.

Large and small organizations need to keep data confidential. One U.S. law, the Health Insurance Portability and Accountability Act (HIPAA), requires that medical providers keep the personal and medical information of their patients private. Can you imagine the potential damage to a medical business if patients’ medical and personal data were somehow released to the public? That would not only lead to a loss in confidence but could expose the medical provider to possible legal action by the patients or government regulators.

Confidentiality, Integrity, and Availability

Confidentiality, integrity, and availability are referred to as the CIA triad, which is the cornerstone concept of information security. The triad, shown in Fig. 1.1, forms the three-legged stool upon which information security is built. The order of the acronym may change (some prefer AIC, perhaps to avoid association with a certain intelligence agency), but that is not important; what is critical is understanding each concept. This book will use the CIA acronym.

Ensuring Confidentiality

Confidentiality attempts to prevent the intentional or unintentional unauthorized disclosure of communications between a sender and recipient. In the physical world, ensuring confidentiality can be accomplished by simply securing the physical area. However, as evidenced by bank robberies and military invasions, threats exist to the security of the physical realm that can compromise security and confidentiality.

The moment electronic means of communication were introduced, many new possible avenues of disclosing the information within these communications were created. The confidentiality of early analog communication systems, such as the telegraph and telephone, were easily compromised by simply having someone connect to the wires used by a sender and receiver.

When digital communications became available, like with many technologies, it was only a matter of time until knowledgeable people were able to build devices and methods that could interpret the digital signals and convert them to whatever form needed to disclose what was communicated. And as technology grew and became less expensive, the equipment needed to monitor and disclose digital communications became available to anyone wishing to put the effort into monitoring communication.

With the advent of wireless communications, the need for physically connecting to a communication channel to listen in or capture confidential communications was removed. Although you can achieve some security by using extremely tight beam directional antennas, someone still just has to sit somewhere in between the antennas to be able to monitor and possibly connect to the communications channel without having to actually tie into any physical device.

Having knowledge that communications channels are possibly compromised allows us to properly implement our policies and procedures to mitigate the wireless risk. The solution used to ensure The Big Three and other security tenets is encryption.

The current implementation of encryption in today’s wireless networks use the RC4 stream cipher to encrypt the transmitted network packets, and the WEP to protect authentication into wireless networks by network devices connecting to them (that is, the network adapter authentication, not the user utilizing the network resources). Both of which, due mainly to improper implementations, have introduced sufficient problems that have made it possible to determine keys used and then either falsely authenticate to the network or decrypt the traffic traveling across through the wireless network. For more information on encryption and cryptography please refer to Chapter 6.

With these apparent problems, those in charge of wireless network security should utilize other proven and properly implemented encryption solutions, such as Secure Shell (SSH), Secure Sockets Layer (SSL), or IPSec.

Under confidentiality, identifiable data provided for statistical purposes is protected from unauthorized disclosure. Organizations acting as brokers between respondents and data users seek to disseminate useful data products while keeping low the risk of confidentiality disclosure. Recognizing that deidentification of each data record is generally inadequate to protect its confidentiality against attack by a data snooper, agencies restrict the data they release for general use. Typically, these restricted data procedures have involved transformation or masking of the original collected data through such devices as adding noise, topcoding, data swapping, and recoding. Another approach is to use the original data to determine a statistical model and use it to generate synthetic data. Generically, statistical disclosure limitation is a body of restricted data procedure that transforms data so that release of the transformed data adequately limits disclosure risk. Desirably, statistical analysis of the transformed data leads to inferences similar to that obtained by analysis of the original data. The technical procedures for implementation of disclosure limitation involve a range of mathematical and statistical tools.

Law and Compliance

Information security laws are designed to protect personally identifiable information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where unauthorized persons have access or potential access to such information for unauthorized purposes. Data breach notification laws typically require covered entities to implement a breach notification policy, and include requirements for incident reporting, handling, and external breach notification.1

There is no one particular law that governs data breaches. Essentially, every state has different regulations and requirements pertaining to data breaches, and companies must adhere to the laws of the states in which they reside as well as those of states in which they are doing business.

Depending upon for whom the information is collected, the federal government will also have regulations that must be followed subsequent to a breach. For example, medical data would involve HIPPA. These requirements have resulted from federal privacy legislation that covers such areas as health care, securities, and in some cases the Internet. Whether state or federal, the regulations surrounding breaches seek to have information governance policies in place in order to mitigate the risks as much as possible and—when the inevitable breach occurs—to ensure anyone who might have been a victim is properly notified so that they can take steps to protect themselves.

Currently, forty-seven states, the District of Columbia, and several US territories have enacted legislation that requires notification of security breaches involving personal information. Because the companies were victims themselves, these laws do not directly hold companies accountable for the losses sustained due to the breaches. However, there remains the potential for civil litigation in the form of class action lawsuits so that the affected individuals can be compensated for their losses. While the costs of notifying thousands of victims at a time can be expensive, the prospect of having to reimburse these thousands of individuals—as we have seen in the Target breach—is frightening. Of course, lawsuits of this type generally succeed only when negligence is present. Hence, a proper information governance policy can show a good faith effort on the part of the company, which can overcome a presumption of negligence.

The nation’s largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Internet businesses have disclosed numerous data breaches and computer intrusions.2

The Privacy Rights Clearinghouse chronicles and reports that over 345 million records containing sensitive personal information were involved in security breaches in the United States since January 2005. From February 2005 to December 2006, 100 million personal records were reportedly lost or exposed. As an example, in 2006 the personal data of 26.5 million veterans was breached when a VA employee’s hard drive was stolen from his home.3 The common denominator in these data breaches is that the attackers were seeking to obtain sensitive personal information, which they put to criminal use by means of identity theft to commit various frauds, such as taking out a mortgage in someone else’s name or having credit cards issued on the victim’s bank account.

If any positive has come out of the multitude of data breaches, it is that the public has become much more aware of the dangers. Just a few short years ago, most would not have given a second thought to the release of his or her own personal identifying information to a doctor’s office or a business. Now, however, when asked for such information, many people will immediately wonder who will have access to this information and whether they have anything to fear regarding its security. In today’s changing corporate landscape, businesses have to consider these concerns and put their clients’ minds at ease, reassuring the public that they are competent at managing personally identifiable information. Failure to do so will inevitably result in the loss of the public’s trust—as well as the public’s business. With the variety of remedies that are available to consumers through the legal system, a breach means corporations can expect greater financial problems than just the loss of future business.

The medical profession in particular has undergone dramatic changes in the way it collects patient information and the regulations under which it must operate. By 2017, all medical records within the United States are expected to have been transformed from handwritten patient charts to online medical records. The benefits of this are obvious. Doctors with multiple offices can pull up patient records wherever they are working. Medical reports prepared by one doctor can be sent immediately to a treating specialist. If you are the victim of a serious accident or injury while away from home, your primary care physician can send all of you medical information immediately to the emergency room that is treating you. But when it comes to data breaches, this new advance in the way the medical profession retains its patient records brings with it additional dangers that had not previously existed.

Say, for example, that your medical records have been compromised, but you are unaware of it. Someone decides they are then going to use your medical records and medical insurance to receive treatment in your name. There is obviously the potential financial loss of paying another’s co-pays, along with the possibility that your insurance rates might be raised or your policy cancelled. In the case of electronic medical records, the consequences can be far greater than just financial loss. What if the person using your medical records suffers from a particular illness or ailment? They might be treated with medications that will help them, but could have an adverse effect on you should you be treated by another doctor who uses these same medications. We have now entered an environment where a data breach could cost more than money; it could costs lives.