Security versus privacy in software

Security often supports privacy, and that’s true. If you maintain security effectively, you can protect the confidentiality and integrity of data, and that is good for the privacy of the data subject. But security is often opposed to privacy because the primary interest as regards security is: who did what, when? There are tools that allow you to ask that question—logs. When you activate logging tools to monitor your network, you capture packets. Security in that context is basically surveillance. When you are engaging in surveillance, of course, it can be an invasion of privacy. And so that tension exists. Keeping your family, your computer and your identity safe is an essential task in our online world. You are responsible for knowing what type of information you are handling.

Computer security, also known as cybersecurity or IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.

Apple’s opposition to an FBI request to unlock the iPhone of Syed Rizwan Farook, the shooter in the December terrorist attack in San Bernardino, CA, has raised the issue of data privacy and security, not just on individual devices but also when devices are connected to the cloud. Your device or on-premise server might be protected, but what about when you connect them to the cloud? It may be vulnerable to attackers or be subject to government requests.

Cloud security introduces different challenges because there are more players, said Mark Nunnikhoven, vice president of cloud research at Trend Micro Inc. Also, the type of security you want depends on what you want to protect your data from. Do you want to protect it from hackers or protect it from government agencies?”

In privacy by design, for example, one of the difficulties is influencing people to actually manage their privacy, day to day. Think about all the junk mailings you receive in your physical mailbox. Imagine if every time someone wanted to send you an offer, they had to call you up and ask for permission to use your name and address. You might say, “Well, that would be great for my privacy. I would tell them not to mail it.” But you would be on the phone all day long. The goal is to maintain the security and privacy pillars in a really cohesive, organizationally sound manner. 

So you log on and buy the product: you enter your credit card number, your name, and your address…okay, no security violations yet. If I take your name and address and sell it so that you get lots of SPAM and lots of direct mail, now you may feel your privacy is invaded. There is no security problem; no one broke in, but it might still be a privacy violation. It’s a question of how we use the data. We could give you good notice and say, “By the way, if you buy this product, we will not sell or distribute your name, except to parties that will help us finish this transaction.” If we tell you what the use is, then you can make conscious choices.

I have a very basic doubt regarding cloud computing that is catching up pretty fast these days. To my understanding, cloud computing is a paradigm in which companies put up their data and applications on somebody else's machines aka 'The Cloud'. I want to know just how secure is it to put up my data on some third party machines, especially if my data contains private details. In particular, how can an enterprise trust the cloud computing service providers in this data privacy aspect? If I am speaking about credit card or financial information, then it's NOT secure. PCI Level 1 compliance rules out any possibility of using the cloud because to be compliant you need to perform third-party on-site audits, and most cloud providers don't allow that. Here is Amazon's stand on it. For any other data that requires legal compliance, you will find it difficult to host it on the cloud. Scanning, auditing and even the contractual requirements of PCI guarantee that you won’t be able to be compliant if you’re using the cloud.  The good thing is that at least Amazon is being perfectly honest about this and is telling their customers that EC2 and S3 aren’t compliant solutions, instead offering up their Flexible Payment Solution (FPS) as a way to use their services in a compliant way. 

Application security principles are collections of desirable application properties, behaviors, designs and implementation practices that attempt to reduce the likelihood of threat realization and impact should that threat be realized. Security principles are language-independent, architecturally-neutral primitives that can be leveraged within most software development methodologies to design and construct applications.

Principles are important because they help us make security decisions in new situations with the same basic ideas. By considering each of these principles, we can derive security requirements, make architecture and implementation decisions, and identify possible weaknesses in systems.

The important thing to remember is that in order to be useful, principles must be evaluated, interpreted and applied to address a specific problem. Although principles can serve as general guidelines, simply telling a software developer that their software must "fail securely" or that they should do "defense in depth" won't mean that much.

Security by design: Secure by design

Security by design, or alternately secure by design, means that the software has been designed from the ground up to be secure. In this case, security is considered as the main feature. Some of the techniques in this approach include:

• The principle of least privilege, where each part of the system has only the privileges that are needed for its function. That way even if an attacker gains access to that part, they have only limited access to the whole system.
• Automated theorem proving to prove the correctness of crucial software subsystems.
• Code reviews and unit testing approaches to make modules more secure where formal correctness proofs are not possible.
• Defense in depth, where the design is such that more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds.
• Default secure settings, and design to "fail secure" rather than "fail insecure" (see fail-safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.
• Audit trails tracking system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks.
• Full disclosure of all vulnerabilities, to ensure that the "window of vulnerability" is kept as short as possible when bugs are discovered.

Some proven application security principles

• Apply defense in depth (complete mediation)
• Use a positive security model (fail-safe defaults, minimize attack surface)
• Fail securely
• Run with least privilege
• Avoid security by obscurity (open design)
• Keep security simple (verifiable, economy of mechanism)
• Detect intrusions (compromise recording)
• Don’t trust infrastructure
• Don’t trust services
• Establish secure defaults (psychological acceptability)

Who has the keys?

The bigger issue with encryption is what happens to the encryption keys. If the data is encrypted, the keys exist somewhere. Where should you put them? Who has control of them? How do you protect them? “If the answer is that the cloud provider can never have access to the keys, then you’re in pretty good shape. Because even if something happened and people stole your data or subpoenaed it and demanded it, all they would get is encrypted data that they can’t decrypt,” Rubin said.

If the keys aren’t going with the data into the cloud—they are separated and put into some other device—you’ve created a level where no one entity would be able to give someone access, she said. “I think that is just table stakes now. I don’t think anyone can go into the cloud without considering it because you just don’t know what will happen,” she said. “Anything you have any concerns about at all, not even just sensitive data, should be encrypted.” Nunnikhoven pointed out, though, that even if data is encrypted, it doesn’t mean it is secure from everything. Because law enforcement agencies can make companies release data. “In most cases, any company operating in the United States is going to comply with the legal requirements,” he said.

The human element in information security often gets short shrift. For example, many still believe that training programs don’t work and aren’t worth spending time and money on. But the best security defenses in the world won’t be successful if even one employee doesn’t know a phishing email when he sees one. And today, it’s easy for business departments to order a cloud service or download an app to a corporate smartphone. People who don’t know what’s kosher and what isn’t are practically courting disaster.

Best practices, Patching best practices include:

• Never build a solution that limits your ability to patch or upgrade software.
• Build patching into your normal operational processes.
• Capacity planning and systems architecture should include consideration for patching, software upgrades, and system reboots.

Create strong passwords

• Create complex passwords and change them per policy.
• Include at least three upper and/or lowercase letters, along with punctuation, symbols, and numbers.
• Avoid sequences or repeated characters such as 222222, abcdefg, or adjacent letters on your keyboard (qwerty).
• Use a unique name and password for each account, especially for social media and blog sites.
• Do not use a grouping that someone could find on your social media pages, such as birth date, address or occupation.

Be cautious about discussing work in:

• Hallways.
• Elevators.
• Restrooms.
• Restaurants.
• Athletic clubs.
• Airports.
• Taxis.

Everyone — from chief executives to business departments to the newest of hires — needs to be keenly aware of the threats out there, how to prevent them and how to counter them if they do occur. The more an organization can instill its people with a security mindset, the more it can bolster its defenses against an increasingly bold and innovative underground.

Some common vulnerabilities are:

• Social networking.
• Conversations.
• Malware.
• Tailgating.
• Phishing.

Microsoft Corp (MSFT.O) has sued the U.S. government for the right to tell its customers when a federal agency is looking at their emails, the latest in a series of clashes over privacy between the technology industry and Washington. The lawsuit, filed on Thursday in federal court in Seattle, argues that the government is violating the U.S. Constitution by preventing Microsoft from notifying thousands of customers about government requests for their emails and other documents. The government’s actions contravene the Fourth Amendment, which establishes the right for people and businesses to know if the government searches or seizes their property, the suit argues, and Microsoft's First Amendment right to free speech. Cloud in Windows Azure is the biggest challenge. Microsoft’s suit focuses on the storage of data on remote servers, rather than locally on people's computers, which Microsoft says has provided a new opening for the government to access electronic data.

Just in case if you don't know the terminology or want a refresher, the following terms used with regards to engineering secure systems are explained below.

• Access authorization restricts access to a computer to a group of users through the use of authentication systems. These systems can protect either the whole computer – such as through an interactive login screen – or individual services, such as an FTP server. There are many methods for identifying and authenticating users, such as passwords, identification cards, and, more recently, smart cards and biometric systems.
• Chain of trust techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers.
• Cryptographic techniques can be used to defend data in transit between systems, reducing the probability that data exchanged between systems can be intercepted or modified. Cyberwarfare is an Internet-based conflict that involves politically motivated attacks on information and information systems. Such attacks can, for example, disable official websites and networks, disrupt or disable essential services, steal or alter classified data, and cripple financial systems.Data integrity is the accuracy and consistency of stored data, indicated by an absence of any alteration in data between two updates of a data record.
• Encryption is used to protect the message from the eyes of others. Cryptographically secure ciphers are designed to make any practical attempt to breaking infeasible. Symmetric-key ciphers are suitable for bulk encryption using shared keys, and public-key encryption using digital certificates can provide a practical solution for the problem of securely communicating when no key is shared in advance.
• Honey pots are computers that are either intentionally or unintentionally left vulnerable to attack by crackers. They can be used to catch crackers or fix vulnerabilities.
• Social engineering awareness keeps employees aware of the dangers of social engineering and/or having a policy in place to prevent social engineering can reduce successful breaches of the network and servers.
• Authentication techniques can be used to ensure that communication end-points are who they say they are.
• Backups are a way of securing information; they are another copy of all the important computer files kept in another location. These files are kept on hard disks, CD-Rs, CD-RWs, tapes and more recently on the cloud. Suggested locations for backups are a fireproof, waterproof, and heat proof safe, or in a separate, offsite location than that in which the original files are contained. Some individuals and companies also keep their backups in safe deposit boxes inside bank vaults. There is also a fourth option, which involves using one of the file hosting services that back up files over the Internet for both business and individuals, known as the cloud. Backups are also important for reasons other than security. Natural disasters, such as earthquakes, hurricanes, or tornadoes, may strike the building where the computer is located. The building can be on fire, or an explosion may occur. There needs to be a recent backup at an alternate secure location, in case of such kind of disaster. Further, it is recommended that the alternate location is placed where the same disaster would not affect both locations. Examples of alternate disaster recovery sites being compromised by the same disaster that affected the primary site include having had a primary site in World Trade Center I and the recovery site in 7 World Trade Center, both of which were destroyed in the 9/11 attack, and having one's primary site and recovery site in the same coastal region, which leads to both being vulnerable to hurricane damage (for example, primary site in New Orleans and recovery site in Jefferson Parish, both of which were hit by Hurricane Katrina in 2005). The backup media should be moved between the geographic sites in a secure manner, in order to prevent them from being stolen.

• The third priority of the Federal Bureau of Investigation (FBI) is to: "Protect the United States against cyber-based attacks and high-technology crimes", and they, along with the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA) are part of the multi-agency task force, The Internet Crime Complaint Center, also known as IC3. In addition to its own specific duties, the FBI participates alongside non-profit organizations such as InfraGard

• Spoofing of user identity describes a situation in which one person or program successfully masquerades as another by falsifying data.

• Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details directly from users. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Preying on a victim's trust, phishing can be classified as a form of social engineering.
• Denial of service attacks is designed to make a machine or network resource unavailable to its intended users. Attackers can deny service to individual victims, such as by deliberately entering a wrong password enough consecutive times to cause the victim account to be locked, or they may overload the capabilities of a machine or network and block all users at once. While a network attack from a single IP address can be blocked by adding a new firewall rule, many forms of Distributed denial of service (DDoS) attacks are possible, where the attack comes from a large number of points – and defending is much more difficult. Such attacks can originate from the zombie computers of a botnet, but a range of other techniques are possible including reflection and amplification attacks, where innocent systems are fooled into sending traffic to the victim.

Security:

1. Definition: Involves protecting data, networks, and systems from unauthorized access, theft, or damage. This includes measures to prevent cyberattacks, data breaches, and loss of data integrity.

2. Implementation: Utilizes technologies and practices like encryption, authentication, firewalls, and intrusion detection systems. It demands constant vigilance and updates to defend against new threats.

3. Impact on Privacy: Strong security measures are necessary to protect user privacy. However, extensive data collection for security purposes can infringe on individual privacy if not properly managed.

Privacy:

1. Definition: Concerns the rights of individuals to control their personal information and how it is collected, used, and shared. It involves consent, data minimization, and transparent data handling practices.

2. Implementation: Includes mechanisms like data anonymization, user consent prior to data collection, clear privacy policies, and compliance with data protection laws (e.g., GDPR, CCPA).

3. Impact on Security: Privacy measures restrict the amount and type of data collected and stored, which can limit the data available for security monitoring and analysis. This can potentially make security efforts more challenging.

Balancing Security and Privacy:

1. Data Minimization: Collect only the data that is necessary for the intended purpose, reducing the amount of data at risk.

2. Encryption: Protect data privacy by encrypting data at rest and in transit, ensuring that even if data is intercepted or accessed, it remains unintelligible without the decryption key.

3. Access Controls: Implement strict access controls to ensure that only authorized personnel can access sensitive or personal data.

4. Transparency and Consent: Be transparent with users about what data is being collected and why. Obtain their consent and provide options to control their privacy settings.

5. Regular Audits and Compliance Checks: Regularly audit security and privacy practices to ensure compliance with laws and regulations, and to identify and rectify potential vulnerabilities.

6. User Education: Educate users about security risks and the importance of practices like strong passwords and recognizing phishing attempts, which can enhance both security and privacy.

7. Privacy by Design: Integrate privacy considerations into the software development process from the beginning, rather than as an afterthought.

8. Legal Compliance: Ensure that all software and practices comply with relevant data protection laws and industry standards.

By carefully considering and integrating both security and privacy principles into software development and daily operations, organizations can protect themselves against threats while respecting and safeguarding user privacy. It requires a continuous, proactive approach and a commitment to ethical standards and legal compliance.

References

https://cloudsecurityalliance.org/

http://www.mckeay.net/2009/08/14/cannot-achieve-pci-compliance-with-amazon-ec2s3/ 

https://www.owasp.org/index.php/Category:Principle 

https://en.wikipedia.org/wiki/Computer_security

http://www.reuters.com/article/us-microsoft-privacy-idUSKCN0XB22U

Summary

According to a study released in January by Cloud Security Alliance and security software vendor Skyhigh Networks, 25% of organizations said they’d be willing to pay a ransom to hackers to stop the release of sensitive information, and 14% would pay more than $1 million. “To me that is disheartening, and it does tell us that both were not doing a good enough job in the industry protecting information,” said Jim Reavis, co-founder and CEO of Cloud Security Alliance, “and also that our use of technology is so vast that there are so many threats out there.” According to research from the Enterprise Strategy Group, 46% of organizations say that they have a “problematic shortage” of cybersecurity skills in 2016, up from 28% in 2015.