Big Data: Is Our Security Keeping Pace?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Last December Target was hacked for 40 million records
In January Target reports another hack for 70 million records
Total hack: 110 million records!
Was this done by a global cybercrime group?
… or by one employee making a bad choice?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Edward Snowden
He worked for the CIA and then
NSA and leaked thousands of
classified documents to media
outlets.
The documents showed details of a
global surveillance program, especially
the mass collection of phone data.
Robert Gates: “He’s a traitor that should face the music.”
SXSW Festival: “He’s a whistleblower and a hero.”
You think we’re divided on this issue?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
These Two Incidents Raise Questions About:
► What data are being collected?
► How are the data being collected?
► How are the data being used?
► How secure (private) are the data?
How can we deal with all of this
information responsibly?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Objectives:
Better understand the complex issues of big data
security and privacy
Make better personal decisions about personal data
Implement better corporate policies regarding
collection, use and safeguard of customer data
Overall goal: Produce better, pro-active solutions
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Why is This Important to Us?
Because all of us are tangled up in big data at every level:
We are collecting data
Our data are being collected
We are using BIG DATA in one way or another
Our privacy and confidentiality are at risk
Each of us has a LOT to gain … or lose!
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
The Current Situation: More Data!
How much is too much?
What data should NOT be collected?
What techniques of collection step over the “line”?
What kinds of analysis are out of bounds?
Security is not improving as fast as hacking.
We are allowing technology to drive our boundaries!
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Are We Headed Towards “Impossible Privacy”?
Case: Who Has Your Social Security Number?
Social Security Administration
Your credit card companies
Your bank
Your mortgage company
IRS
Law enforcement?
Your retirement accounts
Your health care providers
Your insurance companies
Your spouse, kids?
Your employer
???
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Are We Headed Towards “Impossible Privacy”?
Another Case: Google
Google has every single email you ever sent using Gmail.
They have it stored, indexed, and they have built
models of your behavior.
Yahoo and Facebook have been doing similar things.
How secure do you feel?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Are We Headed Towards “Impossible Privacy”?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Why is This Important to Us Professionally?
Professional information is being collected about you, much more
than you think, probably more than you would approve.
What are the corporate risks?
Your company’s data collection and security will affect
customer perception.
Company data collections are hackable:
Store designs
Consumer/loyalty data
Prospective sites
Forecasting models and casing data
Sales history
Employee data
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Understanding Data Context
Data fields have privacy context
The IRS can collect my SSN, but not a grocer.
Data fields have utility context
My photo has great value for my passport,
but not for Amazon.
Data analysis has context
Use my purchase history to generate relevant
coupons, but not for determining price.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Understanding Data Context
1. Data fields have privacy context
Collecting with permission: customer addresses, phones, purchases, IRS
data, medical info (at health provider), banking, schools.
Collecting with “sort of” permission: Internet visits (cookies), credit
history, security cameras, satellite imagery, unreadable EULAs.
Collecting without permission: NSA’s PRISM program, viruses, worms,
key logging, store casings, drones, smart phones, tablets, hacking,
purchases of data from other sources.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Understanding Data Context
2. Data fields have utility context
Wide Utility: customer addresses, phones, email addresses, purchases,
EULAs, demographics.
Medium Utility: Internet visits (cookies), credit card info, security
cameras, satellite imagery, store casings, credit history, SSN.
Narrow Utility: NSA’s PRISM program, key logging, drones, medical
information.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Understanding Data Context
3. Data analysis has context
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
The Data Rubik Cube
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Big Data and Security Topics
●
The Best Security
●
Biometrics
●
Hacking
●
The “Cloud”
●
Wireless Data & Encryption
●
Social Networks
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Big Data and Security Topics
The Best Security
Starts with a really good plan
Incorporates multiple tiers
Utilizes best technology like firewalls, encryption, etc.
Emphasizes well-trained employees
Multiple recovery plans, rehearsed
Well-defined accountability
Still, there are random influences: No security is perfect
Lavabit had a special secure email with 2,500 character encryption. NSA sued
to get the key, and they won. Instead of turning over the key, Lavabit folded.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Big Data and Security Topics
Biometrics
Legal status of gathering and using biometrics is unclear.
Police started using biometrics in 2011 to recognize offenders.
DNA databases and recognition are far more common.
FBI is building next generation database with fingerprints, iris
scans, palm prints, voice data and facial recognition.
NYC “Domain Awareness System” has 3,000 cameras that can
recognize and track people and cars.
Who owns your biometric data?
It’s easy to replace a stolen credit card, but how
about fingerprints or DNA?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Big Data and Security Topics
Hacking
A Brief History:
In the “early days” hacking was a hobby that
could get a little cash or mail-order item.
Hacking moved to larger scale, getting lots of
info and selling it.
Hackers then built great software for sale.
Now hackers can make a great living hacking for
government covert ops. e.g. Snowden’s TAO
Remember when hackers were criminals?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Big Data and Security Topics
Hacking
Hacking is not a hobby: it is a profession with specialties
and a very good income.
Nearly every home computer has been hacked.
Hacking technology is never very far behind security,
and it always catches up quickly.
Many governments are very active hackers:
The STUXNET virus disrupted Iran’s enrichment
program.
The Chinese government has a hacker building.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
The “Cloud”
Definition: Expandable storage on network servers.
No cloud: Storage is duplicated on every device.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
The “Cloud”
Definition: Expandable storage on network servers.
Using the cloud: One copy serves every device.
This kind of storage
encourages you to buy
more devices from the
same manufacturer.
“The cloud” or “the leash”?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
The “Cloud”
Many companies offer free cloud storage: up to 10 Gb.
You could buy a 1Tb drive for less than $100.
That makes 100 “gifts” of storage for $1 each.
If all your pictures, music, data, books are in the cloud,
you could use up your wireless data limit quickly.
Apple and Microsoft are really pushing cloud storage,
beginning to limit non-cloud choices.
Apple devices will now only sync contacts wirelessly
Microsoft requires CloudDrive account to get apps.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
The “Cloud”: The Risks
Internet security breaches happen often.
If the server goes down, your devices can’t access data.
(Both Amazon and Gmail have gone dark).
Lack of access if you have no Internet access.
Syncing and redundancy bugs are common.
If a hacker gets your password, you may be locked out of
all your devices.
Your security is only as good as the weakest link in the chain.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Wireless Data and Encryption
Includes: cell phones, tablets, laptops, desktops, car
systems, security cameras, printers, headphones,
speakers, mice and keyboards, GPS, gaming systems, pet
training, musical instruments, RFID devices, walkietalkies, marine radios, fans, air conditioners, heaters,
lights, door locks, smoke alarms, garage door openers, …
Scrappy remote control
garbage disposal.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Wireless Data and Encryption
Most wireless data is secure (encrypted), but data are
almost never encrypted entirely from start to end-point.
That makes data susceptible to “man-in-the-middle”.
If computer on either end is compromised, then encryption
keys can be stolen, as well as data.
Some magnetic things can be sensed from a distance.
Some companies have helped NSA get past their own
encryption technology..
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Wireless Data and Encryption
Snoopy Drone: Can move
around and pinch data from
your smart phone or tablet
without you even being aware
of what’s happening.
Which is scarier?
The fact that we have the technology to do this?
The fact that the manufacturer shows it openly and has
demonstrated its abilities to the media?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
Social Networks
(Or How to be Stupid With a Lot of Company)
The NSA is able to access most using “back door”
technique.
Digital wiretapping is easy and allows access to every keystroke.
Most photos from phones are now geo-tagged.
Just assume that everyone has (or will have) access to everything
you do on a social site.
Also assume that anything you give anyone will eventually be
uploaded to a social site for everyone’s access.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
The Future: Option-1
We allow technology to continue without
data boundaries, never completely aware of
what data are collected, how they are
collected, or how they are used. We allow
consumer reactions to provide controls.
There are lots of companies that remove consumer reactions!
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
The Future: Option-2
We get more alert and aggressive with our understanding
and react quickly to create boundaries.
This is absolutely necessary, but not enough.
This would be entirely reactive, not proactive.
Consumers rarely have the complete picture.
Example: The new iPhone has a million
permission switches for your phone apps.
That looks good for Apple, but do you really know
what the phone is doing?
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
The Future: Option-3
We begin to anticipate the direction of data collection and use, and
we create the boundaries before technology arrives at those points.
We need to carefully define data ownership at the source, and
“data theft.”
Can we make laws that require data reporting, perhaps
including data licensing and annual reports, similar to the SEC?
Can we make laws that limit the type of data collected based
on its eventual purpose?
Both of the above ideas would rely on very heavy consequences
for violations, including government agencies.
Presented at the 2014 Gravitec Store Location Conference by James Puffer
Big Data: Is Our Security Keeping Pace?
The Perfectly-secure Computer
Presented at the 2014 Gravitec Store Location Conference by James Puffer