1 it security and privacy fyfy effendy ross hardy amy kirchner amanda macdonell carrie weinkein
TRANSCRIPT
1
IT Security and IT Security and PrivacyPrivacy
Fyfy Effendy
Ross Hardy
Amy Kirchner
Amanda MacDonell
Carrie Weinkein
2
AgendaAgenda
OverviewOverview Security BreachesSecurity Breaches Fraud and Identity Fraud and Identity
TheftTheft Chief Security Chief Security
OfficerOfficer PhishingPhishing Emerging Emerging
TechnologiesTechnologies Best PracticesBest Practices
3
IT Security IT Security DefinedDefined
Information security is the Information security is the process of protecting process of protecting
information systems and data information systems and data from unauthorized access, from unauthorized access,
use, disclosure, destruction, use, disclosure, destruction, modification, or disruption. modification, or disruption.
Information security is Information security is concerned with the concerned with the
confidentiality, integrity, and confidentiality, integrity, and availability of data regardless availability of data regardless of the form the data may take: of the form the data may take:
electronic, print, or other electronic, print, or other forms.forms.
http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007
4
Who cares about Who cares about IT Security and IT Security and
Privacy?Privacy?
5
Management Management Does!Does!
Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2, June 2006, pp 81-99
Security and privacy rose from 19th in 1990 to 2nd in 2005 as a top management concern.
6
CIA TriangleCIA Triangle Three core concepts form the core Three core concepts form the core
principles of information security. principles of information security. Confidentiality: Confidentiality:
Information of confidential nature.Information of confidential nature. Integrity:Integrity:
Data cannot be changed, deleted, or altered without Data cannot be changed, deleted, or altered without authorization.authorization.
Availability:Availability: All information and computer systems used in the All information and computer systems used in the
protection of information are available and functioning protection of information are available and functioning properly.properly.
Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006.
7
Percentage of IT budget Percentage of IT budget spent on IT securityspent on IT security
13%
10%
11%
6%
26%
21%
12%
0% 5% 10% 15% 20% 25% 30%
More than 10%
8-10%
6-7%
3-5%
1-2%
Less than 1%
Unknown
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.
8
Security Security BreachesBreaches
9
Common Types of Common Types of Potential IT Security Potential IT Security
BreachesBreaches There are many types There are many types
of potential IT of potential IT security threats:security threats: VirusesViruses TheftTheft FraudFraud SpamSpam WormsWorms Phishing/SpoofingPhishing/Spoofing SabotageSabotage Social NetworkingSocial Networking
Garg, Ashisha, Jeffrey Curtis, and Hilary Halper. “The Financial Impact of IT Security Breaches: What Do Investors Think?”. Security Management Practices. March/April 2003. PP 1-9.
10
Types of Attacks or Types of Attacks or MisuseMisuse
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.
11
Trends in Information Trends in Information Security BreachesSecurity Breaches
“Special Report: The Shift in Data Security- Stop the Insider Threat”. CSO FOCUS. October 2005. PP 2-8
12
Trends in Information Trends in Information Security BreachesSecurity Breaches
http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html, viewed April 06, 2007
13
Trends in Information Trends in Information Security BreachesSecurity Breaches
http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html, viewed April 06, 2007
14
Frequency of Cyber Frequency of Cyber Security BreachesSecurity Breaches
How many incidents,by % of respondents 1-5 6-10 >10 Don't know
2006 48 15 9 28
2005 43 19 9 28
2004 47 20 12 22
2003 38 20 16 26
2002 42 20 15 23
2001 33 24 11 31
2000 33 23 13 31
1999 34 22 14 29
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.
15
Why should Why should general managers general managers
care about IT care about IT security breaches?security breaches?
16
Cost of Cyber Security Cost of Cyber Security BreachBreach
TangibleTangible Lost businessLost business Lost productivity of non IT staffsLost productivity of non IT staffs Labor and material costs associated with the Labor and material costs associated with the
IT staff’s detection, containment, repair and IT staff’s detection, containment, repair and reconstitution of the breached resourcesreconstitution of the breached resources
Legal costs associated with the collection of Legal costs associated with the collection of forensic evidence and the prosecution of an forensic evidence and the prosecution of an attackerattacker
Public relations consulting costs, to prepare Public relations consulting costs, to prepare statements for the press, and answer statements for the press, and answer customer questionscustomer questions
Increases in insurance premiumsIncreases in insurance premiumsWhat Does a Computer Breach Really Cost? Anita D. D’Amico, Ph.D.Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000
17
Cost of Cyber Security Cost of Cyber Security BreachBreach
IntangibleIntangible Customers’ loss of trust in the Customers’ loss of trust in the
organizationorganization Failure to win new accounts due to bad Failure to win new accounts due to bad
press associated with the breachpress associated with the breach Competitor’s access to confidential or Competitor’s access to confidential or
proprietary informationproprietary information
What Does a Computer Breach Really Cost? Anita D. D’Amico, Ph.D.Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000
18
Amount Lost from Security Amount Lost from Security Breach by TypeBreach by Type
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.
19
Outsourcing Computer Outsourcing Computer SecuritySecurity
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.
20
Outsourcing Computer Outsourcing Computer SecuritySecurity
Most of the respondents did not Most of the respondents did not outsource the IT securityoutsource the IT security
IT security is one of the core IT security is one of the core capabilities and therefore should be capabilities and therefore should be kept in house.kept in house.
Source: Lacity, M., “Twenty Customer and Supplier Lessons on IT Sourcing,” Cutter Consortium, Vol. 5, 12, 2004, pp.1-27
21
Most Critical Issues for the Most Critical Issues for the Next 2 yearsNext 2 years
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25.
22
23
Fraud and Identity TheftFraud and Identity Theft
“Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade Commission. May 12 2006. PP 2-32.
24
Fraud and Identity TheftFraud and Identity Theft
“Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade Commission. May 12 2006. PP 2-32.
25
Fraud and Identity TheftFraud and Identity Theft
“Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade Commission. May 12 2006. PP 2-32.
26
Fraud and Identity TheftFraud and Identity Theft
“Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade Commission. May 12 2006. PP 2-32.
27
Chief Security OfficerChief Security Officer
28
Role of the CSORole of the CSO
Good communicatorGood communicator Able to promote IT security projects Able to promote IT security projects
as business projectsas business projects Knowledgeable in a wide array of Knowledgeable in a wide array of
areas including IT, business, legal areas including IT, business, legal and policyand policy
McAdams, A., “Security and Risk Management – A Fundamental Business Issue”Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36
29
Functions of the CSOFunctions of the CSO
Provide leadershipProvide leadership Establish an integrated information Establish an integrated information
systems frameworksystems framework Create and implement security policies Create and implement security policies
and proceduresand procedures Set and monitor metricsSet and monitor metrics Allocate funding to IT projectsAllocate funding to IT projects Create training programs for employeesCreate training programs for employees Create support system for these programsCreate support system for these programs
McAdams, A., “Security and Risk Management – A Fundamental Business Issue”Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36
30
Background of a CSOBackground of a CSO
Come from a predominantly IS Come from a predominantly IS backgroundbackground
Other common backgrounds include:Other common backgrounds include: Corporate Security (35%)Corporate Security (35%) Military (32%)Military (32%) Law Enforcement (21%)Law Enforcement (21%) Business Operations (19%)Business Operations (19%) Audit (18%)Audit (18%)
Petersen, Rodney, “The Role of the CSO” Educause Review September/October 2006 Pages 73-82
31
Importance of the CSOImportance of the CSO
The Global State of Information Security 2006 Survey, http://secure.idg.com.au/images/cio/CSO_Security_Survey.pdf, viewed April 14, 2007
32
Doe Run Doe Run CompanyCompanySt. Louis, MissouriSt. Louis, Missouri
33
Company Information – Doe Company Information – Doe RunRun
International natural resource companyInternational natural resource company Mining, smelting, recycling and fabrication of Mining, smelting, recycling and fabrication of
metalsmetals North America’s largest integrated lead North America’s largest integrated lead
producer and third largest total lead producer in producer and third largest total lead producer in the worldthe world
Also produces zinc, copper, gold and silverAlso produces zinc, copper, gold and silver Locations in Missouri, Washington, Arizona and Locations in Missouri, Washington, Arizona and
PeruPeru 4,000 employees worldwide4,000 employees worldwide 2 Billion in annual sales2 Billion in annual sales
http://www.doerun.com/about/company.aspx, viewed March 13, 2007
34
Company Information – Company Information – Doe RunDoe Run
Founded in 1864 when St. Joseph Lead Founded in 1864 when St. Joseph Lead Company purchased land known for its Company purchased land known for its lead deposits in Southeast Missouri.lead deposits in Southeast Missouri.
The Southeast Missouri location The Southeast Missouri location operates the mining and milling operates the mining and milling division and extracts around 70% of division and extracts around 70% of the primary lead supply in the US.the primary lead supply in the US.
In 2003, 4.6 million tons of ore mined In 2003, 4.6 million tons of ore mined and milled at this location.and milled at this location.
http://www.doerun.com/about/company.aspx, viewed March 13, 2007
35
Company Information – Company Information – Doe RunDoe Run
Began operating a smelter in Began operating a smelter in Herculaneum, MO in 1892 and all smelting Herculaneum, MO in 1892 and all smelting activities were consolidated there in 1920. activities were consolidated there in 1920.
24-hour smelter that extracts lead from ore 24-hour smelter that extracts lead from ore received from the Southeast MO division.received from the Southeast MO division.
In 2003, produced 146,746 tons of primary In 2003, produced 146,746 tons of primary lead.lead.
In 1997, more than doubled in size by In 1997, more than doubled in size by acquiring refineries and smelters in La acquiring refineries and smelters in La Oroya, Peru.Oroya, Peru.
http://www.doerun.com/about/company.aspx, viewed March 13, 2007
36
Company Information – Company Information – Doe RunDoe Run
Later that year they also acquired copper Later that year they also acquired copper mines in Corbiza, Peru and created Doe mines in Corbiza, Peru and created Doe Run Peru.Run Peru.
In, 2003 the Corbiza copper mine produced In, 2003 the Corbiza copper mine produced 67,216 metric tons of copper concentrate.67,216 metric tons of copper concentrate.
From this copper concentrate, the La From this copper concentrate, the La Oroya division produces 15,700 metric tons Oroya division produces 15,700 metric tons of metallic copper.of metallic copper.
They now operate six mines, four mills, one They now operate six mines, four mills, one primary smelter and one lead recycling primary smelter and one lead recycling plant.plant.
http://www.doerun.com/about/company.aspx, viewed March 13, 2007
37
Chief Security OfficerChief Security Officer
Craig WilliamsCraig Williams Reports to the CIO who reports Reports to the CIO who reports
directly to CEOdirectly to CEO Directly responsible for all data and Directly responsible for all data and
physical security in North and South physical security in North and South AmericaAmerica
Annual IT budget of $2.8 million with Annual IT budget of $2.8 million with one-third allocated to IT securityone-third allocated to IT security
50 employees in the IT department 50 employees in the IT department with 4 dedicated to securitywith 4 dedicated to security
Craig Williams, CISO, Doe Run CompanyInterviewed by phone by Carrie Weinkein, March 15, 2007
38
Provisions for IT Security – Provisions for IT Security – Doe RunDoe Run
Security policy and procedures Security policy and procedures manualmanual
Employee security awareness Employee security awareness trainingtraining
Intrusion prevention and detectionIntrusion prevention and detection Biometric technology for mobile Biometric technology for mobile
computingcomputing
Craig Williams, CISO, Doe Run CompanyInterviewed by phone by Carrie Weinkein, March 15, 2007
39
Common Threats – Doe RunCommon Threats – Doe Run
Social EngineeringSocial Engineering Phone CallsPhone Calls VisitsVisits
Virus AttacksVirus Attacks HackersHackers
Moved website from in-house to hosted Moved website from in-house to hosted
Craig Williams, CISO, Doe Run CompanyInterviewed by phone by Carrie Weinkein, March 15, 2007
40
IT Security – Doe RunIT Security – Doe Run
BenefitsBenefits IT security has increased 75% since IT security has increased 75% since
CSO position was created (one and a CSO position was created (one and a half years ago)half years ago)
Have been able to get increased budget Have been able to get increased budget for IT securityfor IT security
LimitationsLimitations Not enough employees dedicated to IT Not enough employees dedicated to IT
securitysecurity
Craig Williams, CISO, Doe Run CompanyInterviewed by phone by Carrie Weinkein, March 15, 2007
41
Future of IT Security – Future of IT Security – Doe RunDoe Run
Implement data mining security and Implement data mining security and encryptionencryption
Security policy updatesSecurity policy updates Continue doing security assessmentsContinue doing security assessments
Attack and penetrationAttack and penetration PhysicalPhysical
Door access using biometric technologyDoor access using biometric technology Will be utilized in new top secret areaWill be utilized in new top secret area Adhere to National Security Advisory Adhere to National Security Advisory
StandardsStandardsCraig Williams, CISO, Doe Run CompanyInterviewed by phone by Carrie Weinkein, March 15, 2007
42
PhishingPhishing
43
PhishingPhishing Online identity theft in which Online identity theft in which
confidential information is obtained confidential information is obtained from an individual.from an individual.
Direct phishing-related loss to US Direct phishing-related loss to US Banks and credit card issuers in 2003 Banks and credit card issuers in 2003 was $1.2 billionwas $1.2 billion
Indirect loss (customer service Indirect loss (customer service expenses, account replacement costs, expenses, account replacement costs, increased expenses due to decreased increased expenses due to decreased use of online service) are much higheruse of online service) are much higher
Causes substantial hardship for Causes substantial hardship for victimized consumers, due to the victimized consumers, due to the difficulty of repairing credit damaged difficulty of repairing credit damaged by fraudulent activity.by fraudulent activity.
ITTC Report on Online Identity Theft Technology and Countermeasures (Aaron Emigh)http://www.antiphising.org, viewed March 15, 2007
44
Tricks used in Spoof Tricks used in Spoof EmailsEmails
““Spoofing” reputable companiesSpoofing” reputable companies Creating a plausible premise (i.e. Creating a plausible premise (i.e.
account information is outdated, credit account information is outdated, credit card is expired, or account has been card is expired, or account has been randomly selected for verification)randomly selected for verification)
Requires a quick responseRequires a quick response Collecting information in the emailCollecting information in the email Links to web sites that gather Links to web sites that gather
informationinformation Using IP addressUsing IP address
Anatomy of a Phishing EmailBy Christine E. Drake, Jonathan J. Oliver, and Eugene J. KoontzMailFrontier, Inc., 2004
45
Phishing Examples: US Phishing Examples: US BankBank
Source: http://www.antiphishing.org, viewed March 27, 2007
46
Phishing Examples: US Phishing Examples: US BankBank
Source: http://www.antiphishing.org, viewed March 27, 2007
47
Phishing Targeted Phishing Targeted IndustryIndustry
Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007
48
Phishing Reports Received by Anti-Phishing Reports Received by Anti-Phishing Working Group (APWG)Phishing Working Group (APWG)
0
5000
10000
15000
20000
25000
30000
Jan Feb March Apr May June July Aug Sept Oct Nov Dec
Month
Nu
mb
er o
f p
his
hin
g r
epo
rts
sub
mit
ted
to
AP
WG
2006
2005
Source: Phishing Attack Trends Report – January 2007 & January 2006, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007
49
Top 10 Phishing Sites Top 10 Phishing Sites Hosting CountriesHosting Countries
Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007
50
Anti-phishing SolutionAnti-phishing Solution Implement educational programs for Implement educational programs for
employees and users regarding phishing employees and users regarding phishing attackattack
Strong authentication – use digital signatures Strong authentication – use digital signatures for outgoing emailsfor outgoing emails
Phishing responsive service – users can Phishing responsive service – users can forward emails to company to validation forward emails to company to validation whether it really comes from credible sourceswhether it really comes from credible sources
Create international network of contacts in Create international network of contacts in the legal, government and internet service the legal, government and internet service provider communities to identify sources of provider communities to identify sources of phishing attacks, shut down website and phishing attacks, shut down website and phiser’s accountphiser’s account
Source: http://www.verisign.com/static/031240.pdf, viewed March 27, 2007
51
Emerging Trends in IT Emerging Trends in IT SecuritySecurity
52
BiometricsBiometrics
Biometrics: Biometrics: The science and The science and technology of measuring and technology of measuring and statistically analyzing biological statistically analyzing biological data.data.
““Biometrics introduces a new option Biometrics introduces a new option for identifying users as they interact for identifying users as they interact with computer systems and with computer systems and networks.” networks.”
Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006.
53
BiometricsBiometrics
Face Recognition – systematically Face Recognition – systematically analyzing specific features that are analyzing specific features that are common to everyone’s facecommon to everyone’s face
Fingerprint Identification – comparing Fingerprint Identification – comparing the pattern of ridges in fingerprints the pattern of ridges in fingerprints
Hand Geometry Biometrics – works in Hand Geometry Biometrics – works in harsh environmentsharsh environments
Retina Scan – No known way to Retina Scan – No known way to replicate a retina. A good scan takes replicate a retina. A good scan takes about 15 secondsabout 15 seconds
www.technovelgy.com/ct/technology-article.asp?artnum=16 viewed March 17, 2007
54
BiometricsBiometrics
Iris Scan – There are ways of Iris Scan – There are ways of encoding the iris scan to carry encoding the iris scan to carry around in a “barcode” formataround in a “barcode” format
Signature – DigitizedSignature – Digitized Voice AnalysisVoice Analysis
www.technovelgy.com/ct/technology-article.asp?artnum=16 viewed March 17, 2007
55
Biometric ComparisonsBiometric Comparisons
http://www.itsc.org.sg/synthesis/2002/biometric.pdf
56
Smart CardsSmart Cards Definition:Definition:
a plastic card containing a microprocessor that a plastic card containing a microprocessor that enables the holder to perform operations requiring enables the holder to perform operations requiring data that is stored in the microprocessor.data that is stored in the microprocessor.
Smart cards include a microchip for on card processing capabilities and secure, portable storage for static and dynamic passwords, digital certificates and private keys, biometrics and other data.
http://en.wikipedia.org/wiki/Smart_card , viewed March 18, 2007.
57
Smart CardsSmart CardsTwo Categories:Two Categories:
Memory CardsMemory Cards
Microprocessor CardsMicroprocessor Cards
Methods of Reading Cards:Methods of Reading Cards:
Contact Smart Card Readers Contact Smart Card Readers
(ISO/IEC 7816/7810)(ISO/IEC 7816/7810)
Contactless Smart Card Readers Contactless Smart Card Readers
(ISO/IEC 14443)(ISO/IEC 14443)
“Real Big Price Tag for Real ID” Security: For Buyers of Products, Systems, & Services. Nov2006, Vol 43 Issue 11, pg 24
58
Security FeaturesSecurity Features
59
Security Features – Security Features – Biometrics Biometrics
Based on physical human Based on physical human characteristics, making it difficult to characteristics, making it difficult to replicatereplicate
Can not be lost or stolenCan not be lost or stolen Potential to identify people at a high Potential to identify people at a high
degree of certaintydegree of certainty
http://www.ax.sbiometrics.com/riskans.htmViewed March 17, 2007
60
Security Features – Security Features – Smart Cards Smart Cards
Instead of a signature, transactions Instead of a signature, transactions require pin numbersrequire pin numbers
Merchants must meet tougher standards Merchants must meet tougher standards for collection and storage of card datafor collection and storage of card data
Card readers can obtain information Card readers can obtain information directly from card instead of retrieving it directly from card instead of retrieving it over a networkover a network
Difficult to replicateDifficult to replicateWarren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43
Issue 3 Pg. 34-36.
61
Security Features – Security Features – Smart CardsSmart Cards
Can be Used in Collaboration with Biometrics, Can be Used in Collaboration with Biometrics, Making Verification more SecureMaking Verification more Secure
Computations Can be Done in the Card Itself, so Computations Can be Done in the Card Itself, so keys need to only exist in the cardskeys need to only exist in the cards
Each card can Contain a Personal Firewall, so Each card can Contain a Personal Firewall, so data is only extracted when external system is data is only extracted when external system is authenticated as having rights to the dataauthenticated as having rights to the data
Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of
Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30. Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3
Pg. 34-36.
62
ComponentsComponents
63
Components – Biometric Components – Biometric DevicesDevices
Usability – should come with a practical user Usability – should come with a practical user interface interface
IntegrationIntegration Cost – Devices range in price from $50-$2000Cost – Devices range in price from $50-$2000 Throughput – Time it takes to read the data. (2 Throughput – Time it takes to read the data. (2
seconds to read a fingerprint, 30 seconds to read an seconds to read a fingerprint, 30 seconds to read an iris scan)iris scan)
Trigger – External or AutomatedTrigger – External or Automated Acquisition Time – Images per secondAcquisition Time – Images per second Date Transfer Rate – Images transferred per secondDate Transfer Rate – Images transferred per second Ergonomic DesignErgonomic Design
Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006
64
Components – Smart Components – Smart CardCard
CPUCPU- manages data, executes - manages data, executes cryptographic algorithms, and enforces cryptographic algorithms, and enforces application rulesapplication rules
ROMROM- stores operating system software- stores operating system software
RAMRAM- temporary storage of data- temporary storage of data
Electrically Erasable Programmable Electrically Erasable Programmable Read- Only Memory (EEPROM)- Read- Only Memory (EEPROM)- stores small amounts of volatile stores small amounts of volatile (configuration) data(configuration) data
“Smart Cards Get Toe-Hold”. Security Magazine. Nov 2006. pg. 24.
65
Advantages to ManagersAdvantages to Managers
66
Advantages – Biometrics Advantages – Biometrics
Cost savings in the areas such as Loss Cost savings in the areas such as Loss Prevention and/or Time & AttendancePrevention and/or Time & Attendance
Provides extremely accurate and secured Provides extremely accurate and secured access to informationaccess to information
Can be done rapidly and with minimum Can be done rapidly and with minimum trainingtraining
Identities can be linked to missing, stolen Identities can be linked to missing, stolen or altered documentsor altered documents
Prevents lost, stolen, or borrowed Id cardsPrevents lost, stolen, or borrowed Id cards
http://www.technology.com/ct/technology-article.asp?artnum=14 Viewed March 17, 2007
http://www.ax.sbiometrics.com Viewed March 17, 2007
67
Advantages – Smart Advantages – Smart CardsCards
Increased SecurityIncreased Security Cost SavingsCost Savings Easy to Use (similar to using a debit Easy to Use (similar to using a debit
card)card) Faster Access to Secured BuildingsFaster Access to Secured Buildings Eliminates Multiple Passwords Eliminates Multiple Passwords
Associated With Different SoftwareAssociated With Different Software Ability to Continuously Add New Ability to Continuously Add New
ApplicationsApplications“Benefits of Contactless Smart Cards”. Smarter Buildings. Oct 2006. p 26.
68
Disadvantages to Disadvantages to ManagersManagers
69
Disadvantages - Disadvantages - BiometricsBiometrics
Cost Cost Not always accessible for those with Not always accessible for those with
disabilitiesdisabilities Can be viewed as an invasion of Can be viewed as an invasion of
privacyprivacy
http://ezinearticles.com/?biometrics Viewed March 17, 2007
http://www.cs.rockhurst.edu/seminars/CS2003/Biometrics/index.html Viewed March 17,2007
70
Disadvantages – Smart Disadvantages – Smart CardsCards
Failure RateFailure Rate
Expensive to ImplementExpensive to Implement
Flexibility of Plastic Card Flexibility of Plastic Card
Hackers Keep up with Technology as Hackers Keep up with Technology as soon as it is Developedsoon as it is Developed
Flavelle, Dana. “Chip-Based Cards may Cut Into Fraud”. Toronto Star. April 2005.Titus, John. “For Smart Cards Security is Key”. Electronic Component News. June 2006. Vol 50 Issue 7, PP. 27-28.
71
ApplicationsApplications
72
Applications - BiometricsApplications - Biometrics Financial Services (ATM’s)Financial Services (ATM’s) Immigration and Border ControlImmigration and Border Control Social Services – Fraud PreventionSocial Services – Fraud Prevention Health Care – Security/Privacy of recordsHealth Care – Security/Privacy of records Physical Access Control – Government/Office buildingsPhysical Access Control – Government/Office buildings Time & Attendance Time & Attendance Computer Security – Personal Access, Network Computer Security – Personal Access, Network
Access, Internet, E-CommerceAccess, Internet, E-Commerce Telecommunications – Mobile Phones, Call Center Telecommunications – Mobile Phones, Call Center
TechnologyTechnology Law Enforcement – Criminal InvestigationLaw Enforcement – Criminal Investigation National SecurityNational Security Education/SchoolsEducation/Schools
http://ezinearticles.com/?biometrics Viewed March 17, 2007
73
Applications Using Smart Applications Using Smart CardsCards
Payment SystemsPayment Systems Mobile PhonesMobile Phones Physical/logical accessPhysical/logical access
controlcontrol Secure IDSecure ID Public TransitPublic Transit Pay TVPay TV Voting SystemsVoting Systems
Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 PP. 34-36.Center For Multimedia Education and Application Development. Mulimedia University. www.cmead.mmu.edu. 2005.
74
Security BreachesSecurity Breaches
75
Security Breaches - Security Breaches - BiometricsBiometrics
Hard to bypass biometric security Hard to bypass biometric security measures because they are based on measures because they are based on physical traits that are unique to physical traits that are unique to individualsindividuals
Mythbusters VideoMythbusters Video
http://youtube.com/watch?v=ZncdgwjQxm0 Viewed March 17, 2007
76
Security Breaches – Security Breaches – Smart CardsSmart Cards
Dissection of the Card’s Dissection of the Card’s ComponentsComponents
Hackers can simply remove the MCU's passivation layer Hackers can simply remove the MCU's passivation layer and use a microscope to explore the chip or use a and use a microscope to explore the chip or use a focused ion-beam (FIB) system to tamper with itfocused ion-beam (FIB) system to tamper with it
Titus, Jon. “For Smart Cards, Security is the Key”. ECN Magazine. June 2006. pp 27-28.
77
Security Breaches – Security Breaches – Smart CardsSmart Cards
Differential Power AnalysisDifferential Power AnalysisAn attack that observes a device’s power consumption which is An attack that observes a device’s power consumption which is highly linked to which computational power is being used, it highly linked to which computational power is being used, it distinguishes non-volatile memory programming, and identifies distinguishes non-volatile memory programming, and identifies cryptographic routines as they execute. cryptographic routines as they execute.
VideoVideo
Tearings (Logic Errors and Power Tearings (Logic Errors and Power Disruptions)Disruptions)
These problems can reveal secrets, allowing hackers to get defectiveThese problems can reveal secrets, allowing hackers to get defective
computations to execute which then helps “crack the code”computations to execute which then helps “crack the code”
Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 PP. 34-36.Messerges, T.S, E.A. Dabbish, R.H. Sloan, “Examining Smart Card Security Under the Threat of Power Analysis Attacks”. IEE Transaction on Computers. May 2002.
78
"As the microprocessors in "As the microprocessors in smart cards get more smart cards get more complicated and the amount of complicated and the amount of code increases, the chance of code increases, the chance of bugs increases substantially,"bugs increases substantially,"
--Paul Krocker, President of Paul Krocker, President of Cryptography Cryptography Research Research
79
Cost Considerations of Cost Considerations of ImplementationImplementation
80
Cost Considerations - Cost Considerations - BiometricsBiometrics
Hardware and SoftwareHardware and Software Database updating Database updating InstallationInstallation Connection/User system integration Connection/User system integration System Maintenance System Maintenance Staff Training Staff Training Identification collection and Identification collection and
information maintenanceinformation maintenance
http://webhost.bridgew.edu/jcolby/it525/cost.html Viewed March 17, 2007
81
Cost SavingsCost Savings
That’s Savings of more than $2 million for every 2,000 employees!!!!!!!!!!
“Smart Cards, Smart ROI”. Security Magazine. January 2006. pp 24-26.
82
Companies Using Smart Companies Using Smart CardsCards
Carlson, Caren. “Are You Who You Say You Are?”. Eweek. April 17, 2006.
U.S. Pentagon3.1 million DOD personnel use common access cards; Cards are used to log onto computers and add digital signatures to documents.
Boeing Company200,000 employees, contractors, and partners received multifunction smart cards that primarily provide access to information systems and
buildings. Still in 5 year implementation period that started in 2004.
The Queens Health Network14,000 cards have been issued. Cards contain
patient’s photo ID, name, address, emergency contact, allergies, current medications, and recent lab results.
83
Best PracticesBest Practices
84
Best Practices – IT SecurityBest Practices – IT Security
Develop IT security policy and Develop IT security policy and proceduresprocedures
Assess security standards and Assess security standards and compliance with these standardscompliance with these standards
Analyze threats and find ways to Analyze threats and find ways to mitigate risksmitigate risks
Monitor IT security and efficiently Monitor IT security and efficiently operate a security-enhanced systemoperate a security-enhanced system
http://www.microsoft.com/technet/itshowcase/content/securitywebapps.mspx, viewed April 6, 2007
85
Best Practices – IT SecurityBest Practices – IT Security
http://www.microsoft.com/technet/itshowcase/content/securitywebapps.mspx, viewed April 6, 2007
86
Best Practices – Doe RunBest Practices – Doe Run
The first task of the newly created CSO The first task of the newly created CSO position was to create a security policy and position was to create a security policy and procedures manual.procedures manual.
The CSO continually monitors compliance with The CSO continually monitors compliance with the security policy manual and updates the security policy manual and updates accordingly.accordingly.
CSO performs security assessments to identify CSO performs security assessments to identify new threats and then develops procedures to new threats and then develops procedures to protect IT assets and information protect IT assets and information
CSO continually monitors systems to ensure CSO continually monitors systems to ensure they are operating efficientlythey are operating efficiently
87
Best Practices – Smart Best Practices – Smart Cards Cards
Consider all media on which the info is stored Consider all media on which the info is stored and transmitted, not just the info on the cardand transmitted, not just the info on the card
Transmit Only Encrypted InfoTransmit Only Encrypted Info
Remove all info captured by ID card reader as Remove all info captured by ID card reader as soon as the transaction is completesoon as the transaction is complete
Use checklists for individual data fields to Use checklists for individual data fields to determine what rights each authorized group determine what rights each authorized group hashas
Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30
88
Best Practices – Smart Best Practices – Smart CardsCards
Maximize offline portion of transactions, Maximize offline portion of transactions, while minimizing online accesswhile minimizing online access
Allow cardholders to authorize card content Allow cardholders to authorize card content extraction with a password, PIN, and/or extraction with a password, PIN, and/or biometrics for all transactionsbiometrics for all transactions
Construct Applications so transaction Construct Applications so transaction records cannot be used as surveillance toolsrecords cannot be used as surveillance tools
Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30
89
RecapRecap
IT security challenges are continually IT security challenges are continually increasing.increasing.
Security standards evolving and Security standards evolving and adapting to meet new IT security adapting to meet new IT security challenges.challenges.
New and innovative security New and innovative security procedures:procedures: Smart CardsSmart Cards BiometricsBiometrics
90