Cyber Security and Privacy

Cyber Security and Privacy Jovan Golić CySeP Winter School, Stockholm, 2014

EIT ICT Labs EIT ICT Labs is one of the first Knowledge and Innovation Communities set up in 2010 by the European Institute of Innovation and Technology (EIT), as an initiative of the European Union, motivated by an urgent need to strengthen the ICT competence in Europe EIT ICT Labs mission is to drive European leadership in ICT innovation for economic growth and quality of life: by linking Education, Research & Business through 8 thematic + 2 educational action lines, co-location centers, network of partners, and business development accelerator for startups and SMEs Finalization stages of research & innovation aiming at bringing to market innovative ICT products and services are funded through 1-year projects conducted by the partners, together with others through sub-granting (up to 60k ) and sub-contracting http://www.eitictlabs.eu

Cyber Security Cyber security can generally be considered as information/data security in cyberspace In practice, it is resp. related to offensive and defensive techniques that can be used for performing attacks or defences Defensive techniques can be attack-based (e.g. anti-malware signaturebased techniques or security patches against SW vulnerabilities) or generic (e.g. anomaly-based/behaviour-based techniques); the latter are more effective against unknown attacks and less effective against known attacks Techniques include traffic or event monitoring, data analytics, attack detection and prevention (gateways, firewalls, IDS/IPS), tracking, tracing, incident management & emergency response, information sharing (SOCs and CERTs), security policies, and risk management Attacks can aim at DoS/DDoS, fraud, malfunctioning, physical damage (cyber physical systems), defamation, data theft, terrorism, cyberwar; they appear to evolve exponentially! Current situation and trends are unsatisfactory!

Data Security Data integrity data received/retrieved in original form via secret tag for detection of unauthorized changes Data confidentiality data intelligible only to desired entities via secret reversible transformation of data Data availability data available on request via redundancy, dynamic testing, recovery Entity authentication and identification of entities (e.g., persons, organizations, things) creating, sending, receiving, or retrieving data via verification of real-world physical/logical attributes and time of communication, authentication protocols Security is relative to attacks types, objectives, impact, scale Security is relative to attackers skills, sophistication, resources Security has a cost widespread usage reduces the costs and enables security-by-design Security as a business opportunity rather than an obstacle

Data Privacy - 1 Data privacy is about the security of personal data and of any sensitive data regarding citizens, private or public companies, institutions, and organizations (e.g., IoT data, industrial secrets) Data privacy is also about the user s control of sensitive data according to the minimality principle Minimality principle: Sensitive data should be controlled by the user during the whole lifecycle and disclosed to the lowest possible extent for a minimum period of time only to entities and for purposes authorized by the user. Ideally, this principle should guide the balance between data disclosure and usability. Rarely applied in practice. One reason is massive user profiling by online service providers, since user data has market value. Another reason is the surveillance and lawful interception by government agencies and law enforcement authorities to help detect and monitor social threats, and detect, track, and investigate criminal or terrorist activities. Alert: Massive user profiling becomes massive citizen profiling if identity attributes are associated with user profiles

Data Privacy - 2 Protect data privacy against insider attacks: traceable system administrator interventions, integrity of logs and audit trails, strong authentication, shared access & control, separation of duties Privacy paradigm shift: Enforce the minimality principle Support data privacy by practical advanced cryptographic techniques, including privacy-preserving data mining and profiling, secure multiparty computation, practical homomorphic encryption, secret sharing, threshold cryptography, anonymization, anonymity protocols, anonymous credentials, attribute-based encryption, format- and syntax-preserving encryption, searchable encryption, end-to-end encryption, and SW obfuscation, in addition to traditional techniques Address accountability by techniques for revocable anonymity Protection of sensitive data requires privacy-aware security platforms and mechanisms in both software and hardware N.B. Data protection laws depend on physical location of data!

Digital Trust Level of confidence that a product or service or process in digital world is functioning accordingly relative, conditional, time dependent Has a subjective component and an objective component, which can be called trustworthiness Best practices and reputation are fundamental The problem is that data security is complex, relative, conditional, difficult to verify Trust + Distrust + Uncertainty = 1 Increase trust directly or by decreasing distrust or uncertainty Factors: policies and agreements, liability, reputation, best practices, assurance levels, technical and technological assurance, transparence, verifiability, auditing, cost-effective certification, information sharing, awareness, knowledge

Action Line for Privacy, Security & Trust Mission: Support users and businesses in protecting their digital assets and transactions, promoting robust and safe products and services that realize data privacy and security Privacy: Security & User s Control of sensitive data Minimality principle: Disclose sensitive data to a minimum extent Misconception 1: Address cyber security by counteracting attacks and SOCs/CERTs only Misconception 2: Cyber security is possible without privacy Strategy: Address cyber security and privacy proactively, by deploying trustworthy and transparent innovative technologies bridging the gaps between available techniques and practice; promote «security & privacy by design» paradigm; raise social awareness Priorities 2014-2016: Privacy-aware federated ID management & strong authentication Data privacy in online/mobile applications, services & communications Protection against malicious software & intrusion detection/prevention on computing devices, especially on mobile platforms

Software Security Standardized cryptographic algorithms and protocols used for data security are subject to public scrutiny and trustworthy Many proprietary ones turned out to be weak after being exposed Software products (operating systems, middleware, applications) are frequently proprietary and obfuscated; trustworthiness w.r.t. data security is then not well anchored SW and SW updates can be authenticated/certified by digital signatures issued by using trusted public keys Reduce SW vulnerabilities by applying security by design: develop SW by using static and/or dynamic formal methods Untrusted applications can be separated from the trusted ones, by using trusted execution environment or virtualization Detection of malicious applications and intrusions on end-point devices is currently not sufficiently effective!

Virtualization Security Virtualization is fundamental for cloud services; it can also be done on end-point devices, even in constrained environment Hypervisor is SW running on host platform, for generating and supporting guest Virtual Machines (VMs) Isolation of guest VMs is fundamental for virtualization security Proving the isolation and other properties of hypervisor by formal security analysis is a challenge Hypervisor can be transparent and open for verification or certified; this can significantly improve trustworthiness Assuming that the host platform is trusted, security of guest VMs and distributed middleware (intrusion and anti-malware protection including APTs) can be efficiently controlled by the monitoring SW process running on the host Virtual monitoring and IDS can be introduced on the network level

Hardware Security ICT system can be secure on SW level, but insecure on HW level Strong HW platforms and architectures (including self-checking circuits) are important, especially w.r.t. sophisticated attackers Transparent and auditable HW fabrication facilities are preferable, but difficult to implement HW devices connected to the cloud (IoT), such as smart meters and various sensors, especially if they generate sensitive data, need to be strongly authenticated/identified by using cryptographic keys and/or chip templates such as Physical Unclonable Functions (PUFs) Such devices should better be run on open or standardized OS guided by the simplicity and security principles Secure key generation & management (HSM, secure element) Usage of HW security tokens (HST) for strong user-to-hst-tocloud authentication; the same HST for multiple keys HW/SW implementations of cryptographic algorithms and protocols running on sensitive data should be resistant to side-channel attacks

Business Opportunities ICT business at risk: The worldwide ICT security technology and services market is growing more than 11% annually, to reach 92 billion in 2017. By 2020, it is estimated that 440 billion of the added value is at risk if the leveraged data are not appropriately protected. Significant market opportunities: Market share of European companies in industry solutions for data security and privacy ( 16.5%) is lagging behind their global ICT market share ( 25%). This is possibly due to fragmented national regulations and government control, as cyber security and privacy are considered to be matters of national security and safety. European technology solutions in this area potentially have a comparative advantage with respect to trustworthiness. In after-snowden era, enterprises, institutions, and organizations hesitate to send their sensitive data to the cloud. This implies that the business opportunities for deploying innovative solutions offering higher assurance for data privacy are significant.

Priority 1: Secure and Privacy-aware E-authentication and Digital Identity Management (1) Widely adopted and deployed innovative solutions for secure and privacy-aware federated e-authentication and e-identification of physical or logical entities (e.g., persons, organizations, things, services) via online or wireless communications will create a basis for more secure, authentic and trustworthy products and services, cross-nationally and nationally a springboard for trusted personal data management more trust among people and organizations in Europe without violating the privacy of users as citizens! Build on existing cross-border projects and initiatives, e.g., STORK, ABC4Trust, FutureID, GBA, OneAPI, EEMA, Kantara, FIDO N.B. Single sign-on and federated e-id facilitate user or citizen profiling via linking!

Priority 1: Secure and Privacy-aware E-authentication and Digital Identity Management (2) Relevant techniques include Strong, multi-factor authentication (beyond password-only) Privacy-preserving biometric authentication of persons and physical authentication of things (e.g., biometric encryption) Device usage profiling Cryptographic authentication protocols, credentials, certificates Privacy-aware identity federation and attribute sharing, anonymous credentials Secret sharing and shared access control Trust & liability models Relevant technologies include Hardware & software security tokens, biometrics, PUFs, TPMs, SIM cards, physically embedded digital signatures, NFC, QR codes, monitoring & anti-fraud technologies

Priority 2: Protection of Data Privacy in Online and Mobile Applications, Services and Communications (1) Data privacy essentially means that user controls usage of related sensitive data during its whole life cycle, with the minimality principle guiding the balance with usability Not only personal data, but also industrial secrets! Privacy = security & control of sensitive data Data are easy to copy Support by legislation or regulation is necessary, but is difficult to correctly implement in practice Current practice is unsatisfactory, especially for ordinary people and with respect to sophisticated adversaries! Paradigm promoted: support data privacy by validated technical & technological means wherever practically possible, in addition to transparent, humanunderstandable, and machine-readable privacy policies

Priority 2: Protection of Data Privacy in Online and Mobile Applications, Services and Communications (2) Relevant cryptographic techniques include Local storage and computation Anonymization & pseudonymization Data aggregation Anonymity protocols Privacy-preserving data mining and profiling Secret sharing and shared control Threshold cryptography Secure multiparty computation Practical homomorphic encryption Attribute-based encryption and searchable encryption End-to-end encryption Zero-knowledge protocols

Priority 2: Protection of Data Privacy in Online and Mobile Applications, Services and Communications (3) Relevant technologies include Hardware security tokens Hardware and software solutions for end-to-end security Distributed databases and servers Privacy-aware operating systems and software platforms Virtualization Secure hardware platforms Cost-effective certification & auditing procedures

Priority 3: Mobile Cyber-Security, Addressing Malicious Software in Mobile and Online Applications (1) Privacy-preserving intrusion detection & prevention and protection against malicious software (malware) on endpoint computing devices (e.g., smartphone, tablet, PC) is an aspect of cyber security and privacy of ever increasing importance, especially in mobile scenarios Smart mobile devices typically contain both personal data and sensitive business-related data Malicious or potentially dangerous apps for mobile devices rapidly multiply and evolve Existing solutions are partial and fragmented and do not appear to be sufficiently effective, especially with respect to sophisticated attackers and on mobile platforms

Priority 3: Mobile Cyber-Security, Addressing Malicious Software in Mobile and Online Applications (2) Relevant techniques include Local, distributed, or centralized methods Privacy-preserving intrusion detection/prevention Kernel-level anti-malware protection Detection/prevention of advanced persistent threats Sandboxing Behaviour-based malware detection Combined client-based and cloud-based solutions for malware detection on mobile devices Privacy-aware process monitoring on computing devices Trustworthy apps Machine learning techniques for sophisticated intrusion detection

Priority 3: Mobile Cyber-Security, Addressing Malicious Software in Mobile and Online Applications (3) Relevant technologies include Privacy-aware operating systems Virtualization and virtual machines Secure microkernels and hypervisors Multiple operating systems Trusted hardware platforms, secure elements, and trusted execution environment Secure graphical user interfaces Dedicated memory encryption Sensitive data protection in case of device stealing Hardware security tokens

Applications User profiling Social networks E-commerce and e-payment E-government and e-signatures E-voting and e-democracy E-health and wellbeing Smart spaces, smart cities & communities Cyber-physical systems Connected vehicles, mobility Smart energy Cloud computing and storage Personal data management Intellectual property licensing Internet of things Big data analytics