Big Data: Is Our Security Keeping Pace? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Last December Target was hacked for 40 million records In January Target reports another hack for 70 million records Total hack: 110 million records! Was this done by a global cybercrime group? … or by one employee making a bad choice? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Edward Snowden He worked for the CIA and then NSA and leaked thousands of classified documents to media outlets. The documents showed details of a global surveillance program, especially the mass collection of phone data. Robert Gates: “He’s a traitor that should face the music.” SXSW Festival: “He’s a whistleblower and a hero.” You think we’re divided on this issue? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? These Two Incidents Raise Questions About: ► What data are being collected? ► How are the data being collected? ► How are the data being used? ► How secure (private) are the data? How can we deal with all of this information responsibly? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Objectives: Better understand the complex issues of big data security and privacy Make better personal decisions about personal data Implement better corporate policies regarding collection, use and safeguard of customer data Overall goal: Produce better, pro-active solutions Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Why is This Important to Us? Because all of us are tangled up in big data at every level: We are collecting data Our data are being collected We are using BIG DATA in one way or another Our privacy and confidentiality are at risk Each of us has a LOT to gain … or lose! Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? The Current Situation: More Data! How much is too much? What data should NOT be collected? What techniques of collection step over the “line”? What kinds of analysis are out of bounds? Security is not improving as fast as hacking. We are allowing technology to drive our boundaries! Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Are We Headed Towards “Impossible Privacy”? Case: Who Has Your Social Security Number? Social Security Administration Your credit card companies Your bank Your mortgage company IRS Law enforcement? Your retirement accounts Your health care providers Your insurance companies Your spouse, kids? Your employer ??? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Are We Headed Towards “Impossible Privacy”? Another Case: Google Google has every single email you ever sent using Gmail. They have it stored, indexed, and they have built models of your behavior. Yahoo and Facebook have been doing similar things. How secure do you feel? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Are We Headed Towards “Impossible Privacy”? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Why is This Important to Us Professionally? Professional information is being collected about you, much more than you think, probably more than you would approve. What are the corporate risks? Your company’s data collection and security will affect customer perception. Company data collections are hackable: Store designs Consumer/loyalty data Prospective sites Forecasting models and casing data Sales history Employee data Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Understanding Data Context Data fields have privacy context The IRS can collect my SSN, but not a grocer. Data fields have utility context My photo has great value for my passport, but not for Amazon. Data analysis has context Use my purchase history to generate relevant coupons, but not for determining price. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Understanding Data Context 1. Data fields have privacy context Collecting with permission: customer addresses, phones, purchases, IRS data, medical info (at health provider), banking, schools. Collecting with “sort of” permission: Internet visits (cookies), credit history, security cameras, satellite imagery, unreadable EULAs. Collecting without permission: NSA’s PRISM program, viruses, worms, key logging, store casings, drones, smart phones, tablets, hacking, purchases of data from other sources. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Understanding Data Context 2. Data fields have utility context Wide Utility: customer addresses, phones, email addresses, purchases, EULAs, demographics. Medium Utility: Internet visits (cookies), credit card info, security cameras, satellite imagery, store casings, credit history, SSN. Narrow Utility: NSA’s PRISM program, key logging, drones, medical information. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Understanding Data Context 3. Data analysis has context Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? The Data Rubik Cube Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Big Data and Security Topics ● The Best Security ● Biometrics ● Hacking ● The “Cloud” ● Wireless Data & Encryption ● Social Networks Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Big Data and Security Topics The Best Security Starts with a really good plan Incorporates multiple tiers Utilizes best technology like firewalls, encryption, etc. Emphasizes well-trained employees Multiple recovery plans, rehearsed Well-defined accountability Still, there are random influences: No security is perfect Lavabit had a special secure email with 2,500 character encryption. NSA sued to get the key, and they won. Instead of turning over the key, Lavabit folded. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Big Data and Security Topics Biometrics Legal status of gathering and using biometrics is unclear. Police started using biometrics in 2011 to recognize offenders. DNA databases and recognition are far more common. FBI is building next generation database with fingerprints, iris scans, palm prints, voice data and facial recognition. NYC “Domain Awareness System” has 3,000 cameras that can recognize and track people and cars. Who owns your biometric data? It’s easy to replace a stolen credit card, but how about fingerprints or DNA? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Big Data and Security Topics Hacking A Brief History: In the “early days” hacking was a hobby that could get a little cash or mail-order item. Hacking moved to larger scale, getting lots of info and selling it. Hackers then built great software for sale. Now hackers can make a great living hacking for government covert ops. e.g. Snowden’s TAO Remember when hackers were criminals? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Big Data and Security Topics Hacking Hacking is not a hobby: it is a profession with specialties and a very good income. Nearly every home computer has been hacked. Hacking technology is never very far behind security, and it always catches up quickly. Many governments are very active hackers: The STUXNET virus disrupted Iran’s enrichment program. The Chinese government has a hacker building. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? The “Cloud” Definition: Expandable storage on network servers. No cloud: Storage is duplicated on every device. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? The “Cloud” Definition: Expandable storage on network servers. Using the cloud: One copy serves every device. This kind of storage encourages you to buy more devices from the same manufacturer. “The cloud” or “the leash”? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? The “Cloud” Many companies offer free cloud storage: up to 10 Gb. You could buy a 1Tb drive for less than $100. That makes 100 “gifts” of storage for $1 each. If all your pictures, music, data, books are in the cloud, you could use up your wireless data limit quickly. Apple and Microsoft are really pushing cloud storage, beginning to limit non-cloud choices. Apple devices will now only sync contacts wirelessly Microsoft requires CloudDrive account to get apps. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? The “Cloud”: The Risks Internet security breaches happen often. If the server goes down, your devices can’t access data. (Both Amazon and Gmail have gone dark). Lack of access if you have no Internet access. Syncing and redundancy bugs are common. If a hacker gets your password, you may be locked out of all your devices. Your security is only as good as the weakest link in the chain. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Wireless Data and Encryption Includes: cell phones, tablets, laptops, desktops, car systems, security cameras, printers, headphones, speakers, mice and keyboards, GPS, gaming systems, pet training, musical instruments, RFID devices, walkietalkies, marine radios, fans, air conditioners, heaters, lights, door locks, smoke alarms, garage door openers, … Scrappy remote control garbage disposal. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Wireless Data and Encryption Most wireless data is secure (encrypted), but data are almost never encrypted entirely from start to end-point. That makes data susceptible to “man-in-the-middle”. If computer on either end is compromised, then encryption keys can be stolen, as well as data. Some magnetic things can be sensed from a distance. Some companies have helped NSA get past their own encryption technology.. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Wireless Data and Encryption Snoopy Drone: Can move around and pinch data from your smart phone or tablet without you even being aware of what’s happening. Which is scarier? The fact that we have the technology to do this? The fact that the manufacturer shows it openly and has demonstrated its abilities to the media? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? Social Networks (Or How to be Stupid With a Lot of Company) The NSA is able to access most using “back door” technique. Digital wiretapping is easy and allows access to every keystroke. Most photos from phones are now geo-tagged. Just assume that everyone has (or will have) access to everything you do on a social site. Also assume that anything you give anyone will eventually be uploaded to a social site for everyone’s access. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? The Future: Option-1 We allow technology to continue without data boundaries, never completely aware of what data are collected, how they are collected, or how they are used. We allow consumer reactions to provide controls. There are lots of companies that remove consumer reactions! Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? The Future: Option-2 We get more alert and aggressive with our understanding and react quickly to create boundaries. This is absolutely necessary, but not enough. This would be entirely reactive, not proactive. Consumers rarely have the complete picture. Example: The new iPhone has a million permission switches for your phone apps. That looks good for Apple, but do you really know what the phone is doing? Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? The Future: Option-3 We begin to anticipate the direction of data collection and use, and we create the boundaries before technology arrives at those points. We need to carefully define data ownership at the source, and “data theft.” Can we make laws that require data reporting, perhaps including data licensing and annual reports, similar to the SEC? Can we make laws that limit the type of data collected based on its eventual purpose? Both of the above ideas would rely on very heavy consequences for violations, including government agencies. Presented at the 2014 Gravitec Store Location Conference by James Puffer Big Data: Is Our Security Keeping Pace? The Perfectly-secure Computer Presented at the 2014 Gravitec Store Location Conference by James Puffer