Open Data Security Considerations

abdomendebonairSecurity

Nov 2, 2013 (3 years and 5 months ago)

153 views

Information Technology Division

Executive Office for Administration and Finance

December 17, 2009


1

Open Data

Security Considerations

2

Terminology:

Information Systems Security Specialists Tend to
Think About Privacy and Security As Follows


Privacy




the legal
rights

of an individual or entity to
control

the acquisition, storage, distribution and
use of information about themselves/itself

Privacy, defined in this context, warrants the
confidentiality and level of information privacy
available for use by an application, system,
process, or other individual/entity


3

Terminology:

Information Systems Security Specialists Tend to
Think About Privacy and Security (Continued)


Information Systems Security



The ability to achieve specified levels of
C
onfidentiality (privacy),
I
ntegrity, and
A
vailability
(CIA) as a means of protecting individuals and
entities from unauthorized access or use of
information technology resources (ITRs) (e.g., data,
hardware, software, and transmission media)


Security, defined in this context is the means of
implementing

privacy protection controls, available
to or on behalf of individuals and entities

4

But, it is more….


Security is also a way of demonstrating that
systems and applications have been sufficiently
protected to achieve pre
-
specified levels of CIA…
irrespective of whether they process public or
sensitive data

Terminology:

Information Systems Security Specialists Tend to
Think About Privacy and Security (Continued)


5

Massachusetts Open Data Initiative

C
onfidentiality (Privacy) Requirements

Assurance that the information is made publicly
accessible in compliance with applicable privacy,
confidentiality, and other relevant legal
requirements


Affirmatively

defined in conformance with public
disclosure laws such as the Massachusetts Public
Records Law and with consideration to
Enterprise Information Security Standards
:
Data
Classification


1

http://www.mass.gov/Eoaf/docs/itd/policies_standards/DCStandardsDraftFD.rtf


1

6

“When data previously available from a few hundred
government sources suddenly starts becoming
available via thousands of Web sites


including
widely used social networks like Facebook and
MySpace


there need to be controls in place to
protect against inadvertent leaks “



U.S. mistakenly posts list of civilian nuke sites




TSA investigates online posting of airport screening
procedures


1

2

3

Computerworld: Open government could lead to data leaks; Experts say standards are needed to avoid exposure
of sensitive information, by Jaikumar Vijayan
-

June 15, 2009 12:01 AM ET
http://www.computerworld.com/s/article/340078/Open_Government_Could_Lead_to_Data_Leaks


http://www.computerworld.com/s/article/9133921/U.S._mistakenly_posts_list_of_civilian_nuke_sites_


http://www.latimes.com/news/nation
-
and
-
world/la
-
na
-
tsa9
-
2009dec09,0,6418033.story

1

2

3

Data
C
onfidentiality (Privacy) Controls
must mean more than a policy

7

Massachusetts Open Data Initiative

I
ntegrity (Reliability) Requirements

Assurance that the information as well as the
information technology resources (ITRs), (I.e.,
data, hardware, software, and transmission media)
are protected against unauthorized access or use
(I.e.,
modification
)


“State government data must be up to date,

accurate, credible, reliable, appropriate, secure and

complete. That is, the quality of data presented on

a state data.gov portal will be assured.”


1

“A call to Action for State Government: Guidance for Opening the Doors to State Data”

http://www.nascio.org/publications/documents/NASCIO
-
DataTransparency.pdf


1

8

Massachusetts Open Data Initiative

A
vailability (Presence) Requirements

Assurance that information as well as the ITRs are
protected against unplanned and/or unauthorized
service outage, disruption, or degradation


information obtainable and accessible to authorized
users in accordance with specified service level
objectives


9

“If an organization isn't taking a systematic and
proactive approach to web security, and to running
a web application vulnerability assessment in
particular, then that organization isn't defended
against the most rapidly increasing class of attacks.”


“Gartner estimates that 75 percent of attacks on
web security today are aimed straight at the
application layer.”

Web Application Vulnerability Assessment Essentials

http://www.developerfusion.com/article/6845/web
-
application
-
vulnerability
-
assessment
-
essentials/


Security Controls

Most Vulnerable at the Application(
s
) Layer(
s
)

10

Security Controls

Vulnerable at Other Layer(s) Too

September 2009, SANS Top 20 Vulnerabilities

http://www.sans.org/top
-
cyber
-
security
-
risks/?ref=top20#trends

The Top Cyber Security Risks

1

1

11

Deliver Secure Open Data

And We Can Help



Information Security Policies



Vulnerability Scanning & Penetration Testing



Configuration Management



Patch Management



Anti
-
Malware Deployment



Event Monitoring



Compliance Assurance




Managing these three areas alone can account

for 90% of a community’s security posture.


12

‘Why 'Anonymous' Data Sometimes Isn't ”

“With the proliferation of data, what collisions will

occur as more sophisticated analysis methods

emerge? What new correlations and multi
-
variant

analysis may actually pierce the privacy and

security barriers?”

1

In
2006
, Netflix published 10 million movie rankings
by 500,000 customers, as part of a movie reference
challenge. Two researchers at the University of
Texas at Austin, de
-
anonymized some of the Netflix
data by comparing rankings and timestamps with
public

information

in the Internet Movie Database,
or IMDb.

2

2

“A call to Action for State Government: Guidance for Opening the Doors to State Data”

http://www.nascio.org/publications/documents/NASCIO
-
DataTransparency.pdf



http://www.wired.com/politics/security/commentary/securitymatters/2007/12/securitymatters_1213

1

2

13

Security Considerations Checklist

The
data

owner

has affirmed the following:


Publicly accessible use of the information is in conformance
with Massachusetts Public Records Law and applicable
privacy, confidentiality, and/or other relevant legal
requirements.


The information has been accurately classified and labeled.


The information is protected against unauthorized access or
use (I.e., prevent unauthorized
modification

to the data)


Information Technology Resources (ITRs; data, hardware,
software, transmission media) used to present the
information cannot be used to gain unauthorized access to
other internal systems or data.


The information, as well as the ITRs, are protected against
unplanned and/or unauthorized service disruption