1 it security and privacy fyfy effendy ross hardy amy kirchner amanda macdonell carrie weinkein

1

IT Security and IT Security and PrivacyPrivacy

Fyfy Effendy

Ross Hardy

Amy Kirchner

Amanda MacDonell

Carrie Weinkein

2

AgendaAgenda

OverviewOverview Security BreachesSecurity Breaches Fraud and Identity Fraud and Identity

TheftTheft Chief Security Chief Security

OfficerOfficer PhishingPhishing Emerging Emerging

TechnologiesTechnologies Best PracticesBest Practices

3

IT Security IT Security DefinedDefined

Information security is the Information security is the process of protecting process of protecting

information systems and data information systems and data from unauthorized access, from unauthorized access,

use, disclosure, destruction, use, disclosure, destruction, modification, or disruption. modification, or disruption.

Information security is Information security is concerned with the concerned with the

confidentiality, integrity, and confidentiality, integrity, and availability of data regardless availability of data regardless of the form the data may take: of the form the data may take:

electronic, print, or other electronic, print, or other forms.forms.

http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007

4

Who cares about Who cares about IT Security and IT Security and

Privacy?Privacy?

5

Management Management Does!Does!

Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2, June 2006, pp 81-99

Security and privacy rose from 19th in 1990 to 2nd in 2005 as a top management concern.

6

CIA TriangleCIA Triangle Three core concepts form the core Three core concepts form the core

principles of information security. principles of information security. Confidentiality: Confidentiality:

Information of confidential nature.Information of confidential nature. Integrity:Integrity:

Data cannot be changed, deleted, or altered without Data cannot be changed, deleted, or altered without authorization.authorization.

Availability:Availability: All information and computer systems used in the All information and computer systems used in the

protection of information are available and functioning protection of information are available and functioning properly.properly.

Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006.

7

Percentage of IT budget Percentage of IT budget spent on IT securityspent on IT security

13%

10%

11%

6%

26%

21%

12%

0% 5% 10% 15% 20% 25% 30%

More than 10%

8-10%

6-7%

3-5%

1-2%

Less than 1%

Unknown

Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.

8

Security Security BreachesBreaches

9

Common Types of Common Types of Potential IT Security Potential IT Security

BreachesBreaches There are many types There are many types

of potential IT of potential IT security threats:security threats: VirusesViruses TheftTheft FraudFraud SpamSpam WormsWorms Phishing/SpoofingPhishing/Spoofing SabotageSabotage Social NetworkingSocial Networking

Garg, Ashisha, Jeffrey Curtis, and Hilary Halper. “The Financial Impact of IT Security Breaches: What Do Investors Think?”. Security Management Practices. March/April 2003. PP 1-9.

10

Types of Attacks or Types of Attacks or MisuseMisuse


11

Trends in Information Trends in Information Security BreachesSecurity Breaches

“Special Report: The Shift in Data Security- Stop the Insider Threat”. CSO FOCUS. October 2005. PP 2-8

12


http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html, viewed April 06, 2007

13


http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html, viewed April 06, 2007

14

Frequency of Cyber Frequency of Cyber Security BreachesSecurity Breaches

How many incidents,by % of respondents 1-5 6-10 >10 Don't know

2006 48 15 9 28

2005 43 19 9 28

2004 47 20 12 22

2003 38 20 16 26

2002 42 20 15 23

2001 33 24 11 31

2000 33 23 13 31

1999 34 22 14 29


15

Why should Why should general managers general managers

care about IT care about IT security breaches?security breaches?

16

Cost of Cyber Security Cost of Cyber Security BreachBreach

TangibleTangible Lost businessLost business Lost productivity of non IT staffsLost productivity of non IT staffs Labor and material costs associated with the Labor and material costs associated with the

IT staff’s detection, containment, repair and IT staff’s detection, containment, repair and reconstitution of the breached resourcesreconstitution of the breached resources

Legal costs associated with the collection of Legal costs associated with the collection of forensic evidence and the prosecution of an forensic evidence and the prosecution of an attackerattacker

Public relations consulting costs, to prepare Public relations consulting costs, to prepare statements for the press, and answer statements for the press, and answer customer questionscustomer questions

Increases in insurance premiumsIncreases in insurance premiumsWhat Does a Computer Breach Really Cost? Anita D. D’Amico, Ph.D.Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000

17

Cost of Cyber Security Cost of Cyber Security BreachBreach

IntangibleIntangible Customers’ loss of trust in the Customers’ loss of trust in the

organizationorganization Failure to win new accounts due to bad Failure to win new accounts due to bad

press associated with the breachpress associated with the breach Competitor’s access to confidential or Competitor’s access to confidential or

proprietary informationproprietary information

What Does a Computer Breach Really Cost? Anita D. D’Amico, Ph.D.Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000

18

Amount Lost from Security Amount Lost from Security Breach by TypeBreach by Type


19

Outsourcing Computer Outsourcing Computer SecuritySecurity


20

Outsourcing Computer Outsourcing Computer SecuritySecurity

Most of the respondents did not Most of the respondents did not outsource the IT securityoutsource the IT security

IT security is one of the core IT security is one of the core capabilities and therefore should be capabilities and therefore should be kept in house.kept in house.

Source: Lacity, M., “Twenty Customer and Supplier Lessons on IT Sourcing,” Cutter Consortium, Vol. 5, 12, 2004, pp.1-27

21

Most Critical Issues for the Most Critical Issues for the Next 2 yearsNext 2 years


23

Fraud and Identity TheftFraud and Identity Theft

“Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade Commission. May 12 2006. PP 2-32.

24



25



26



27

Chief Security OfficerChief Security Officer

28

Role of the CSORole of the CSO

Good communicatorGood communicator Able to promote IT security projects Able to promote IT security projects

as business projectsas business projects Knowledgeable in a wide array of Knowledgeable in a wide array of

areas including IT, business, legal areas including IT, business, legal and policyand policy

McAdams, A., “Security and Risk Management – A Fundamental Business Issue”Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36

29

Functions of the CSOFunctions of the CSO

Provide leadershipProvide leadership Establish an integrated information Establish an integrated information

systems frameworksystems framework Create and implement security policies Create and implement security policies

and proceduresand procedures Set and monitor metricsSet and monitor metrics Allocate funding to IT projectsAllocate funding to IT projects Create training programs for employeesCreate training programs for employees Create support system for these programsCreate support system for these programs

McAdams, A., “Security and Risk Management – A Fundamental Business Issue”Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36

30

Background of a CSOBackground of a CSO

Come from a predominantly IS Come from a predominantly IS backgroundbackground

Other common backgrounds include:Other common backgrounds include: Corporate Security (35%)Corporate Security (35%) Military (32%)Military (32%) Law Enforcement (21%)Law Enforcement (21%) Business Operations (19%)Business Operations (19%) Audit (18%)Audit (18%)

Petersen, Rodney, “The Role of the CSO” Educause Review September/October 2006 Pages 73-82

31

Importance of the CSOImportance of the CSO

The Global State of Information Security 2006 Survey, http://secure.idg.com.au/images/cio/CSO_Security_Survey.pdf, viewed April 14, 2007

32

Doe Run Doe Run CompanyCompanySt. Louis, MissouriSt. Louis, Missouri

33

Company Information – Doe Company Information – Doe RunRun

International natural resource companyInternational natural resource company Mining, smelting, recycling and fabrication of Mining, smelting, recycling and fabrication of

metalsmetals North America’s largest integrated lead North America’s largest integrated lead

producer and third largest total lead producer in producer and third largest total lead producer in the worldthe world

Also produces zinc, copper, gold and silverAlso produces zinc, copper, gold and silver Locations in Missouri, Washington, Arizona and Locations in Missouri, Washington, Arizona and

PeruPeru 4,000 employees worldwide4,000 employees worldwide 2 Billion in annual sales2 Billion in annual sales

http://www.doerun.com/about/company.aspx, viewed March 13, 2007

34

Company Information – Company Information – Doe RunDoe Run

Founded in 1864 when St. Joseph Lead Founded in 1864 when St. Joseph Lead Company purchased land known for its Company purchased land known for its lead deposits in Southeast Missouri.lead deposits in Southeast Missouri.

The Southeast Missouri location The Southeast Missouri location operates the mining and milling operates the mining and milling division and extracts around 70% of division and extracts around 70% of the primary lead supply in the US.the primary lead supply in the US.

In 2003, 4.6 million tons of ore mined In 2003, 4.6 million tons of ore mined and milled at this location.and milled at this location.


35


Began operating a smelter in Began operating a smelter in Herculaneum, MO in 1892 and all smelting Herculaneum, MO in 1892 and all smelting activities were consolidated there in 1920. activities were consolidated there in 1920.

24-hour smelter that extracts lead from ore 24-hour smelter that extracts lead from ore received from the Southeast MO division.received from the Southeast MO division.

In 2003, produced 146,746 tons of primary In 2003, produced 146,746 tons of primary lead.lead.

In 1997, more than doubled in size by In 1997, more than doubled in size by acquiring refineries and smelters in La acquiring refineries and smelters in La Oroya, Peru.Oroya, Peru.


36


Later that year they also acquired copper Later that year they also acquired copper mines in Corbiza, Peru and created Doe mines in Corbiza, Peru and created Doe Run Peru.Run Peru.

In, 2003 the Corbiza copper mine produced In, 2003 the Corbiza copper mine produced 67,216 metric tons of copper concentrate.67,216 metric tons of copper concentrate.

From this copper concentrate, the La From this copper concentrate, the La Oroya division produces 15,700 metric tons Oroya division produces 15,700 metric tons of metallic copper.of metallic copper.

They now operate six mines, four mills, one They now operate six mines, four mills, one primary smelter and one lead recycling primary smelter and one lead recycling plant.plant.


37

Chief Security OfficerChief Security Officer

Craig WilliamsCraig Williams Reports to the CIO who reports Reports to the CIO who reports

directly to CEOdirectly to CEO Directly responsible for all data and Directly responsible for all data and

physical security in North and South physical security in North and South AmericaAmerica

Annual IT budget of $2.8 million with Annual IT budget of $2.8 million with one-third allocated to IT securityone-third allocated to IT security

50 employees in the IT department 50 employees in the IT department with 4 dedicated to securitywith 4 dedicated to security

Craig Williams, CISO, Doe Run CompanyInterviewed by phone by Carrie Weinkein, March 15, 2007

38

Provisions for IT Security – Provisions for IT Security – Doe RunDoe Run

Security policy and procedures Security policy and procedures manualmanual

Employee security awareness Employee security awareness trainingtraining

Intrusion prevention and detectionIntrusion prevention and detection Biometric technology for mobile Biometric technology for mobile

computingcomputing


39

Common Threats – Doe RunCommon Threats – Doe Run

Social EngineeringSocial Engineering Phone CallsPhone Calls VisitsVisits

Virus AttacksVirus Attacks HackersHackers

Moved website from in-house to hosted Moved website from in-house to hosted


40

IT Security – Doe RunIT Security – Doe Run

BenefitsBenefits IT security has increased 75% since IT security has increased 75% since

CSO position was created (one and a CSO position was created (one and a half years ago)half years ago)

Have been able to get increased budget Have been able to get increased budget for IT securityfor IT security

LimitationsLimitations Not enough employees dedicated to IT Not enough employees dedicated to IT

securitysecurity


41

Future of IT Security – Future of IT Security – Doe RunDoe Run

Implement data mining security and Implement data mining security and encryptionencryption

Security policy updatesSecurity policy updates Continue doing security assessmentsContinue doing security assessments

Attack and penetrationAttack and penetration PhysicalPhysical

Door access using biometric technologyDoor access using biometric technology Will be utilized in new top secret areaWill be utilized in new top secret area Adhere to National Security Advisory Adhere to National Security Advisory

StandardsStandardsCraig Williams, CISO, Doe Run CompanyInterviewed by phone by Carrie Weinkein, March 15, 2007

42

PhishingPhishing

43

PhishingPhishing Online identity theft in which Online identity theft in which

confidential information is obtained confidential information is obtained from an individual.from an individual.

Direct phishing-related loss to US Direct phishing-related loss to US Banks and credit card issuers in 2003 Banks and credit card issuers in 2003 was $1.2 billionwas $1.2 billion

Indirect loss (customer service Indirect loss (customer service expenses, account replacement costs, expenses, account replacement costs, increased expenses due to decreased increased expenses due to decreased use of online service) are much higheruse of online service) are much higher

Causes substantial hardship for Causes substantial hardship for victimized consumers, due to the victimized consumers, due to the difficulty of repairing credit damaged difficulty of repairing credit damaged by fraudulent activity.by fraudulent activity.

ITTC Report on Online Identity Theft Technology and Countermeasures (Aaron Emigh)http://www.antiphising.org, viewed March 15, 2007

44

Tricks used in Spoof Tricks used in Spoof EmailsEmails

““Spoofing” reputable companiesSpoofing” reputable companies Creating a plausible premise (i.e. Creating a plausible premise (i.e.

account information is outdated, credit account information is outdated, credit card is expired, or account has been card is expired, or account has been randomly selected for verification)randomly selected for verification)

Requires a quick responseRequires a quick response Collecting information in the emailCollecting information in the email Links to web sites that gather Links to web sites that gather

informationinformation Using IP addressUsing IP address

Anatomy of a Phishing EmailBy Christine E. Drake, Jonathan J. Oliver, and Eugene J. KoontzMailFrontier, Inc., 2004

45

Phishing Examples: US Phishing Examples: US BankBank

Source: http://www.antiphishing.org, viewed March 27, 2007

46

Phishing Examples: US Phishing Examples: US BankBank

Source: http://www.antiphishing.org, viewed March 27, 2007

47

Phishing Targeted Phishing Targeted IndustryIndustry

Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007

48

Phishing Reports Received by Anti-Phishing Reports Received by Anti-Phishing Working Group (APWG)Phishing Working Group (APWG)

0

5000

10000

15000

20000

25000

30000

Jan Feb March Apr May June July Aug Sept Oct Nov Dec

Month

Nu

mb

er o

f p

his

hin

g r

epo

rts

sub

mit

ted

to

AP

WG

2006

2005

Source: Phishing Attack Trends Report – January 2007 & January 2006, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007

49

Top 10 Phishing Sites Top 10 Phishing Sites Hosting CountriesHosting Countries

Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007

50

Anti-phishing SolutionAnti-phishing Solution Implement educational programs for Implement educational programs for

employees and users regarding phishing employees and users regarding phishing attackattack

Strong authentication – use digital signatures Strong authentication – use digital signatures for outgoing emailsfor outgoing emails

Phishing responsive service – users can Phishing responsive service – users can forward emails to company to validation forward emails to company to validation whether it really comes from credible sourceswhether it really comes from credible sources

Create international network of contacts in Create international network of contacts in the legal, government and internet service the legal, government and internet service provider communities to identify sources of provider communities to identify sources of phishing attacks, shut down website and phishing attacks, shut down website and phiser’s accountphiser’s account

Source: http://www.verisign.com/static/031240.pdf, viewed March 27, 2007

51

Emerging Trends in IT Emerging Trends in IT SecuritySecurity

52

BiometricsBiometrics

Biometrics: Biometrics: The science and The science and technology of measuring and technology of measuring and statistically analyzing biological statistically analyzing biological data.data.

““Biometrics introduces a new option Biometrics introduces a new option for identifying users as they interact for identifying users as they interact with computer systems and with computer systems and networks.” networks.”

Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006.

53


Face Recognition – systematically Face Recognition – systematically analyzing specific features that are analyzing specific features that are common to everyone’s facecommon to everyone’s face

Fingerprint Identification – comparing Fingerprint Identification – comparing the pattern of ridges in fingerprints the pattern of ridges in fingerprints

Hand Geometry Biometrics – works in Hand Geometry Biometrics – works in harsh environmentsharsh environments

Retina Scan – No known way to Retina Scan – No known way to replicate a retina. A good scan takes replicate a retina. A good scan takes about 15 secondsabout 15 seconds

www.technovelgy.com/ct/technology-article.asp?artnum=16 viewed March 17, 2007

54


Iris Scan – There are ways of Iris Scan – There are ways of encoding the iris scan to carry encoding the iris scan to carry around in a “barcode” formataround in a “barcode” format

Signature – DigitizedSignature – Digitized Voice AnalysisVoice Analysis

www.technovelgy.com/ct/technology-article.asp?artnum=16 viewed March 17, 2007

55

Biometric ComparisonsBiometric Comparisons

http://www.itsc.org.sg/synthesis/2002/biometric.pdf

56

Smart CardsSmart Cards Definition:Definition:

a plastic card containing a microprocessor that a plastic card containing a microprocessor that enables the holder to perform operations requiring enables the holder to perform operations requiring data that is stored in the microprocessor.data that is stored in the microprocessor.

Smart cards include a microchip for on card processing capabilities and secure, portable storage for static and dynamic passwords, digital certificates and private keys, biometrics and other data.

http://en.wikipedia.org/wiki/Smart_card , viewed March 18, 2007.

57

Smart CardsSmart CardsTwo Categories:Two Categories:

Memory CardsMemory Cards

Microprocessor CardsMicroprocessor Cards

Methods of Reading Cards:Methods of Reading Cards:

Contact Smart Card Readers Contact Smart Card Readers

(ISO/IEC 7816/7810)(ISO/IEC 7816/7810)

Contactless Smart Card Readers Contactless Smart Card Readers

(ISO/IEC 14443)(ISO/IEC 14443)

“Real Big Price Tag for Real ID” Security: For Buyers of Products, Systems, & Services. Nov2006, Vol 43 Issue 11, pg 24

58

Security FeaturesSecurity Features

59

Security Features – Security Features – Biometrics Biometrics

Based on physical human Based on physical human characteristics, making it difficult to characteristics, making it difficult to replicatereplicate

Can not be lost or stolenCan not be lost or stolen Potential to identify people at a high Potential to identify people at a high

degree of certaintydegree of certainty

http://www.ax.sbiometrics.com/riskans.htmViewed March 17, 2007

60

Security Features – Security Features – Smart Cards Smart Cards

Instead of a signature, transactions Instead of a signature, transactions require pin numbersrequire pin numbers

Merchants must meet tougher standards Merchants must meet tougher standards for collection and storage of card datafor collection and storage of card data

Card readers can obtain information Card readers can obtain information directly from card instead of retrieving it directly from card instead of retrieving it over a networkover a network

Difficult to replicateDifficult to replicateWarren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43

Issue 3 Pg. 34-36.

61

Security Features – Security Features – Smart CardsSmart Cards

Can be Used in Collaboration with Biometrics, Can be Used in Collaboration with Biometrics, Making Verification more SecureMaking Verification more Secure

Computations Can be Done in the Card Itself, so Computations Can be Done in the Card Itself, so keys need to only exist in the cardskeys need to only exist in the cards

Each card can Contain a Personal Firewall, so Each card can Contain a Personal Firewall, so data is only extracted when external system is data is only extracted when external system is authenticated as having rights to the dataauthenticated as having rights to the data

Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of

Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30. Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3

Pg. 34-36.

62

ComponentsComponents

63

Components – Biometric Components – Biometric DevicesDevices

Usability – should come with a practical user Usability – should come with a practical user interface interface

IntegrationIntegration Cost – Devices range in price from $50-$2000Cost – Devices range in price from $50-$2000 Throughput – Time it takes to read the data. (2 Throughput – Time it takes to read the data. (2

seconds to read a fingerprint, 30 seconds to read an seconds to read a fingerprint, 30 seconds to read an iris scan)iris scan)

Trigger – External or AutomatedTrigger – External or Automated Acquisition Time – Images per secondAcquisition Time – Images per second Date Transfer Rate – Images transferred per secondDate Transfer Rate – Images transferred per second Ergonomic DesignErgonomic Design

Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006

64

Components – Smart Components – Smart CardCard

CPUCPU- manages data, executes - manages data, executes cryptographic algorithms, and enforces cryptographic algorithms, and enforces application rulesapplication rules

ROMROM- stores operating system software- stores operating system software

RAMRAM- temporary storage of data- temporary storage of data

Electrically Erasable Programmable Electrically Erasable Programmable Read- Only Memory (EEPROM)- Read- Only Memory (EEPROM)- stores small amounts of volatile stores small amounts of volatile (configuration) data(configuration) data

“Smart Cards Get Toe-Hold”. Security Magazine. Nov 2006. pg. 24.

65

Advantages to ManagersAdvantages to Managers

66

Advantages – Biometrics Advantages – Biometrics

Cost savings in the areas such as Loss Cost savings in the areas such as Loss Prevention and/or Time & AttendancePrevention and/or Time & Attendance

Provides extremely accurate and secured Provides extremely accurate and secured access to informationaccess to information

Can be done rapidly and with minimum Can be done rapidly and with minimum trainingtraining

Identities can be linked to missing, stolen Identities can be linked to missing, stolen or altered documentsor altered documents

Prevents lost, stolen, or borrowed Id cardsPrevents lost, stolen, or borrowed Id cards

http://www.technology.com/ct/technology-article.asp?artnum=14 Viewed March 17, 2007

http://www.ax.sbiometrics.com Viewed March 17, 2007

67

Advantages – Smart Advantages – Smart CardsCards

Increased SecurityIncreased Security Cost SavingsCost Savings Easy to Use (similar to using a debit Easy to Use (similar to using a debit

card)card) Faster Access to Secured BuildingsFaster Access to Secured Buildings Eliminates Multiple Passwords Eliminates Multiple Passwords

Associated With Different SoftwareAssociated With Different Software Ability to Continuously Add New Ability to Continuously Add New

ApplicationsApplications“Benefits of Contactless Smart Cards”. Smarter Buildings. Oct 2006. p 26.

68

Disadvantages to Disadvantages to ManagersManagers

69

Disadvantages - Disadvantages - BiometricsBiometrics

Cost Cost Not always accessible for those with Not always accessible for those with

disabilitiesdisabilities Can be viewed as an invasion of Can be viewed as an invasion of

privacyprivacy

http://ezinearticles.com/?biometrics Viewed March 17, 2007

http://www.cs.rockhurst.edu/seminars/CS2003/Biometrics/index.html Viewed March 17,2007

70

Disadvantages – Smart Disadvantages – Smart CardsCards

Failure RateFailure Rate

Expensive to ImplementExpensive to Implement

Flexibility of Plastic Card Flexibility of Plastic Card

Hackers Keep up with Technology as Hackers Keep up with Technology as soon as it is Developedsoon as it is Developed

Flavelle, Dana. “Chip-Based Cards may Cut Into Fraud”. Toronto Star. April 2005.Titus, John. “For Smart Cards Security is Key”. Electronic Component News. June 2006. Vol 50 Issue 7, PP. 27-28.

71

ApplicationsApplications

72

Applications - BiometricsApplications - Biometrics Financial Services (ATM’s)Financial Services (ATM’s) Immigration and Border ControlImmigration and Border Control Social Services – Fraud PreventionSocial Services – Fraud Prevention Health Care – Security/Privacy of recordsHealth Care – Security/Privacy of records Physical Access Control – Government/Office buildingsPhysical Access Control – Government/Office buildings Time & Attendance Time & Attendance Computer Security – Personal Access, Network Computer Security – Personal Access, Network

Access, Internet, E-CommerceAccess, Internet, E-Commerce Telecommunications – Mobile Phones, Call Center Telecommunications – Mobile Phones, Call Center

TechnologyTechnology Law Enforcement – Criminal InvestigationLaw Enforcement – Criminal Investigation National SecurityNational Security Education/SchoolsEducation/Schools

http://ezinearticles.com/?biometrics Viewed March 17, 2007

73

Applications Using Smart Applications Using Smart CardsCards

Payment SystemsPayment Systems Mobile PhonesMobile Phones Physical/logical accessPhysical/logical access

controlcontrol Secure IDSecure ID Public TransitPublic Transit Pay TVPay TV Voting SystemsVoting Systems

Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 PP. 34-36.Center For Multimedia Education and Application Development. Mulimedia University. www.cmead.mmu.edu. 2005.

74

Security BreachesSecurity Breaches

75

Security Breaches - Security Breaches - BiometricsBiometrics

Hard to bypass biometric security Hard to bypass biometric security measures because they are based on measures because they are based on physical traits that are unique to physical traits that are unique to individualsindividuals

Mythbusters VideoMythbusters Video

http://youtube.com/watch?v=ZncdgwjQxm0 Viewed March 17, 2007

76

Security Breaches – Security Breaches – Smart CardsSmart Cards

Dissection of the Card’s Dissection of the Card’s ComponentsComponents

Hackers can simply remove the MCU's passivation layer Hackers can simply remove the MCU's passivation layer and use a microscope to explore the chip or use a and use a microscope to explore the chip or use a focused ion-beam (FIB) system to tamper with itfocused ion-beam (FIB) system to tamper with it

Titus, Jon. “For Smart Cards, Security is the Key”. ECN Magazine. June 2006. pp 27-28.

77

Security Breaches – Security Breaches – Smart CardsSmart Cards

Differential Power AnalysisDifferential Power AnalysisAn attack that observes a device’s power consumption which is An attack that observes a device’s power consumption which is highly linked to which computational power is being used, it highly linked to which computational power is being used, it distinguishes non-volatile memory programming, and identifies distinguishes non-volatile memory programming, and identifies cryptographic routines as they execute. cryptographic routines as they execute.

VideoVideo

Tearings (Logic Errors and Power Tearings (Logic Errors and Power Disruptions)Disruptions)

These problems can reveal secrets, allowing hackers to get defectiveThese problems can reveal secrets, allowing hackers to get defective

computations to execute which then helps “crack the code”computations to execute which then helps “crack the code”

Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 PP. 34-36.Messerges, T.S, E.A. Dabbish, R.H. Sloan, “Examining Smart Card Security Under the Threat of Power Analysis Attacks”. IEE Transaction on Computers. May 2002.

78

"As the microprocessors in "As the microprocessors in smart cards get more smart cards get more complicated and the amount of complicated and the amount of code increases, the chance of code increases, the chance of bugs increases substantially,"bugs increases substantially,"

--Paul Krocker, President of Paul Krocker, President of Cryptography Cryptography Research Research

79

Cost Considerations of Cost Considerations of ImplementationImplementation

80

Cost Considerations - Cost Considerations - BiometricsBiometrics

Hardware and SoftwareHardware and Software Database updating Database updating InstallationInstallation Connection/User system integration Connection/User system integration System Maintenance System Maintenance Staff Training Staff Training Identification collection and Identification collection and

information maintenanceinformation maintenance

http://webhost.bridgew.edu/jcolby/it525/cost.html Viewed March 17, 2007

81

Cost SavingsCost Savings

That’s Savings of more than $2 million for every 2,000 employees!!!!!!!!!!

“Smart Cards, Smart ROI”. Security Magazine. January 2006. pp 24-26.

82

Companies Using Smart Companies Using Smart CardsCards

Carlson, Caren. “Are You Who You Say You Are?”. Eweek. April 17, 2006.

U.S. Pentagon3.1 million DOD personnel use common access cards; Cards are used to log onto computers and add digital signatures to documents.

Boeing Company200,000 employees, contractors, and partners received multifunction smart cards that primarily provide access to information systems and

buildings. Still in 5 year implementation period that started in 2004.

The Queens Health Network14,000 cards have been issued. Cards contain

patient’s photo ID, name, address, emergency contact, allergies, current medications, and recent lab results.

83

Best PracticesBest Practices

84

Best Practices – IT SecurityBest Practices – IT Security

Develop IT security policy and Develop IT security policy and proceduresprocedures

Assess security standards and Assess security standards and compliance with these standardscompliance with these standards

Analyze threats and find ways to Analyze threats and find ways to mitigate risksmitigate risks

Monitor IT security and efficiently Monitor IT security and efficiently operate a security-enhanced systemoperate a security-enhanced system

http://www.microsoft.com/technet/itshowcase/content/securitywebapps.mspx, viewed April 6, 2007

85

Best Practices – IT SecurityBest Practices – IT Security

http://www.microsoft.com/technet/itshowcase/content/securitywebapps.mspx, viewed April 6, 2007

86

Best Practices – Doe RunBest Practices – Doe Run

The first task of the newly created CSO The first task of the newly created CSO position was to create a security policy and position was to create a security policy and procedures manual.procedures manual.

The CSO continually monitors compliance with The CSO continually monitors compliance with the security policy manual and updates the security policy manual and updates accordingly.accordingly.

CSO performs security assessments to identify CSO performs security assessments to identify new threats and then develops procedures to new threats and then develops procedures to protect IT assets and information protect IT assets and information

CSO continually monitors systems to ensure CSO continually monitors systems to ensure they are operating efficientlythey are operating efficiently

87

Best Practices – Smart Best Practices – Smart Cards Cards

Consider all media on which the info is stored Consider all media on which the info is stored and transmitted, not just the info on the cardand transmitted, not just the info on the card

Transmit Only Encrypted InfoTransmit Only Encrypted Info

Remove all info captured by ID card reader as Remove all info captured by ID card reader as soon as the transaction is completesoon as the transaction is complete

Use checklists for individual data fields to Use checklists for individual data fields to determine what rights each authorized group determine what rights each authorized group hashas

Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30

88

Best Practices – Smart Best Practices – Smart CardsCards

Maximize offline portion of transactions, Maximize offline portion of transactions, while minimizing online accesswhile minimizing online access

Allow cardholders to authorize card content Allow cardholders to authorize card content extraction with a password, PIN, and/or extraction with a password, PIN, and/or biometrics for all transactionsbiometrics for all transactions

Construct Applications so transaction Construct Applications so transaction records cannot be used as surveillance toolsrecords cannot be used as surveillance tools

Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30

89

RecapRecap

IT security challenges are continually IT security challenges are continually increasing.increasing.

Security standards evolving and Security standards evolving and adapting to meet new IT security adapting to meet new IT security challenges.challenges.

New and innovative security New and innovative security procedures:procedures: Smart CardsSmart Cards BiometricsBiometrics

1 it security and privacy fyfy effendy ross hardy amy kirchner amanda macdonell carrie weinkein

Documents

data security

security survey

security threats

security solutions

security breachesthere

enterprise security

computer security institute

security management