Скачать презентацию IT Security and Privacy Fyfy Effendy Ross Hardy Скачать презентацию IT Security and Privacy Fyfy Effendy Ross Hardy

6063c4c39f0fc0c6fa111754bfb7a51a.ppt

  • Количество слайдов: 90

IT Security and Privacy Fyfy Effendy Ross Hardy Amy Kirchner Amanda Mac. Donell Carrie IT Security and Privacy Fyfy Effendy Ross Hardy Amy Kirchner Amanda Mac. Donell Carrie Weinkein 1

Agenda n n n n Overview Security Breaches Fraud and Identity Theft Chief Security Agenda n n n n Overview Security Breaches Fraud and Identity Theft Chief Security Officer Phishing Emerging Technologies Best Practices 2

IT Security Defined Information security is the process of protecting information systems and data IT Security Defined Information security is the process of protecting information systems and data from unauthorized access, use, disclosure, destruction, modification, or disruption. Information security is concerned with the confidentiality, integrity, and availability of data regardless of the form the data may take: electronic, print, or other forms. http: //en. wikipedia. org/wiki/It_security, viewed April 2 nd, 2007 3

Who cares about IT Security and Privacy? 4 Who cares about IT Security and Privacy? 4

Management Does! Security and privacy rose from 19 th in 1990 to 2 nd Management Does! Security and privacy rose from 19 th in 1990 to 2 nd in 2005 as a top management concern. Luftman, J. , Kempaiah, R. , and Nash, E. , Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2, June 2006, pp 81 -99 5

CIA Triangle n Three core concepts form the core of information security. n Confidentiality: CIA Triangle n Three core concepts form the core of information security. n Confidentiality: n n Information of confidential nature. Integrity: n n principles Data cannot be changed, deleted, or altered without authorization. Availability: n All information and computer systems used in the protection of information are available and functioning properly. Fumy W. and Sauerbrey, J. , Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006. 6

Percentage of IT budget spent on IT security Gordon, Lawrence, Martin Loeb, William Lucyshn, Percentage of IT budget spent on IT security Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1 -25. 7

Security Breaches 8 Security Breaches 8

Common Types of Potential IT Security Breaches n There are many types of potential Common Types of Potential IT Security Breaches n There are many types of potential IT security threats: n n n n Viruses Theft Fraud Spam Worms Phishing/Spoofing Sabotage Social Networking Garg, Ashisha, Jeffrey Curtis, and Hilary Halper. “The Financial Impact of IT Security Breaches: What Do Investors Think? ”. Security Management Practices. March/April 2003. PP 1 -9. 9

Types of Attacks or Misuse Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. Types of Attacks or Misuse Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 10 Institute. 2006. PP 1 -25.

Trends in Information Security Breaches “Special Report: The Shift in Data Security- Stop the Trends in Information Security Breaches “Special Report: The Shift in Data Security- Stop the Insider Threat”. CSO FOCUS. October 2005. PP 2 -8 11

Trends in Information Security Breaches http: //www. aarp. org/research/frauds-scams/fraud/dd 142_security_breach. html, viewed April 06, Trends in Information Security Breaches http: //www. aarp. org/research/frauds-scams/fraud/dd 142_security_breach. html, viewed April 06, 2007 12

Trends in Information Security Breaches http: //www. aarp. org/research/frauds-scams/fraud/dd 142_security_breach. html, viewed April 06, Trends in Information Security Breaches http: //www. aarp. org/research/frauds-scams/fraud/dd 142_security_breach. html, viewed April 06, 2007 13

Frequency of Cyber Security Breaches How many incidents, by % of respondents 1 -5 Frequency of Cyber Security Breaches How many incidents, by % of respondents 1 -5 6 -10 >10 Don't know 2006 48 15 9 28 2005 43 19 9 28 2004 47 20 12 22 2003 38 20 16 26 2002 42 20 15 23 2001 33 24 11 31 2000 33 23 13 31 1999 34 22 14 29 Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 14 Institute. 2006. PP 1 -25.

Why should general managers care about IT security breaches? 15 Why should general managers care about IT security breaches? 15

Cost of Cyber Security Breach n Tangible n n n Lost business Lost productivity Cost of Cyber Security Breach n Tangible n n n Lost business Lost productivity of non IT staffs Labor and material costs associated with the IT staff’s detection, containment, repair and reconstitution of the breached resources Legal costs associated with the collection of forensic evidence and the prosecution of an attacker Public relations consulting costs, to prepare statements for the press, and answer customer questions Increases in insurance premiums What Does a Computer Breach Really Cost? Anita D. D’Amico, Ph. D. Secure Decisions, a Division of Applied Visions, Inc. , September 7, 2000 16

Cost of Cyber Security Breach n Intangible Customers’ loss of trust in the organization Cost of Cyber Security Breach n Intangible Customers’ loss of trust in the organization n Failure to win new accounts due to bad press associated with the breach n Competitor’s access to confidential or proprietary information n What Does a Computer Breach Really Cost? Anita D. D’Amico, Ph. D. Secure Decisions, a Division of Applied Visions, Inc. , September 7, 2000 17

Amount Lost from Security Breach by Type Gordon, Lawrence, Martin Loeb, William Lucyshn, and Amount Lost from Security Breach by Type Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 18 Institute. 2006. PP 1 -25.

Outsourcing Computer Security Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime Outsourcing Computer Security Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 19 Institute. 2006. PP 1 -25.

Outsourcing Computer Security Most of the respondents did not outsource the IT security n Outsourcing Computer Security Most of the respondents did not outsource the IT security n IT security is one of the core capabilities and therefore should be kept in house. n Source: Lacity, M. , “Twenty Customer and Supplier Lessons on IT Sourcing, ” Cutter Consortium, Vol. 5, 12, 2004, pp. 1 -27 20

Most Critical Issues for the Next 2 years Gordon, Lawrence, Martin Loeb, William Lucyshn, Most Critical Issues for the Next 2 years Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 21 Institute. 2006. PP 1 -25.

22 22

Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 23 Commission. May 12 2006. PP 2 -32.

Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 24 Commission. May 12 2006. PP 2 -32.

Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 25 Commission. May 12 2006. PP 2 -32.

Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 26 Commission. May 12 2006. PP 2 -32.

Chief Security Officer 27 Chief Security Officer 27

Role of the CSO Good communicator n Able to promote IT security projects as Role of the CSO Good communicator n Able to promote IT security projects as business projects n Knowledgeable in a wide array of areas including IT, business, legal and policy n Mc. Adams, A. , “Security and Risk Management – A Fundamental Business Issue” Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36 28

Functions of the CSO n n n n Provide leadership Establish an integrated information Functions of the CSO n n n n Provide leadership Establish an integrated information systems framework Create and implement security policies and procedures Set and monitor metrics Allocate funding to IT projects Create training programs for employees Create support system for these programs Mc. Adams, A. , “Security and Risk Management – A Fundamental Business Issue” Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36 29

Background of a CSO Come from a predominantly IS background n Other common backgrounds Background of a CSO Come from a predominantly IS background n Other common backgrounds include: n Corporate Security (35%) n Military (32%) n Law Enforcement (21%) n Business Operations (19%) n Audit (18%) n Petersen, Rodney, “The Role of the CSO” Educause Review September/October 2006 Pages 73 -82 30

Importance of the CSO The Global State of Information Security 2006 Survey, http: //secure. Importance of the CSO The Global State of Information Security 2006 Survey, http: //secure. idg. com. au/images/cio/CSO_Security_Survey. pdf, viewed April 14, 2007 31

Doe Run Company St. Louis, Missouri 32 Doe Run Company St. Louis, Missouri 32

Company Information – Doe Run n n n International natural resource company Mining, smelting, Company Information – Doe Run n n n International natural resource company Mining, smelting, recycling and fabrication of metals North America’s largest integrated lead producer and third largest total lead producer in the world Also produces zinc, copper, gold and silver Locations in Missouri, Washington, Arizona and Peru 4, 000 employees worldwide 2 Billion in annual sales http: //www. doerun. com/about/company. aspx, viewed March 13, 2007 33

Company Information – Doe Run Founded in 1864 when St. Joseph Lead Company purchased Company Information – Doe Run Founded in 1864 when St. Joseph Lead Company purchased land known for its lead deposits in Southeast Missouri. n The Southeast Missouri location operates the mining and milling division and extracts around 70% of the primary lead supply in the US. n In 2003, 4. 6 million tons of ore mined and milled at this location. n http: //www. doerun. com/about/company. aspx, viewed March 13, 2007 34

Company Information – Doe Run Began operating a smelter in Herculaneum, MO in 1892 Company Information – Doe Run Began operating a smelter in Herculaneum, MO in 1892 and all smelting activities were consolidated there in 1920. n 24 -hour smelter that extracts lead from ore received from the Southeast MO division. n In 2003, produced 146, 746 tons of primary lead. n In 1997, more than doubled in size by acquiring refineries and smelters in La Oroya, Peru. n http: //www. doerun. com/about/company. aspx, viewed March 13, 2007 35

Company Information – Doe Run Later that year they also acquired copper mines in Company Information – Doe Run Later that year they also acquired copper mines in Corbiza, Peru and created Doe Run Peru. n In, 2003 the Corbiza copper mine produced 67, 216 metric tons of copper concentrate. n From this copper concentrate, the La Oroya division produces 15, 700 metric tons of metallic copper. n They now operate six mines, four mills, one primary smelter and one lead recycling plant. n http: //www. doerun. com/about/company. aspx, viewed March 13, 2007 36

Chief Security Officer Craig Williams n Reports to the CIO who reports directly to Chief Security Officer Craig Williams n Reports to the CIO who reports directly to CEO n Directly responsible for all data and physical security in North and South America n Annual IT budget of $2. 8 million with onethird allocated to IT security n 50 employees in the IT department with 4 dedicated to security n Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007 37

Provisions for IT Security – Doe Run Security policy and procedures manual n Employee Provisions for IT Security – Doe Run Security policy and procedures manual n Employee security awareness training n Intrusion prevention and detection n Biometric technology for mobile computing n Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007 38

Common Threats – Doe Run n Social Engineering Phone Calls n Visits n Virus Common Threats – Doe Run n Social Engineering Phone Calls n Visits n Virus Attacks n Hackers n n Moved website from in-house to hosted Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007 39

IT Security – Doe Run n Benefits IT security has increased 75% since CSO IT Security – Doe Run n Benefits IT security has increased 75% since CSO position was created (one and a half years ago) n Have been able to get increased budget for IT security n n Limitations n Not enough employees dedicated to IT security Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007 40

Future of IT Security – Doe Run Implement data mining security and encryption n Future of IT Security – Doe Run Implement data mining security and encryption n Security policy updates n Continue doing security assessments n Attack and penetration n Physical n n Door access using biometric technology Will be utilized in new top secret area n Adhere to National Security Advisory Standards n Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007 41

Phishing 42 Phishing 42

Phishing Online identity theft in which confidential information is obtained from an individual. n Phishing Online identity theft in which confidential information is obtained from an individual. n Direct phishing-related loss to US Banks and credit card issuers in 2003 was $1. 2 billion n Indirect loss (customer service expenses, account replacement costs, increased expenses due to decreased use of online service) are much higher n Causes substantial hardship for victimized consumers, due to the difficulty of repairing credit damaged by fraudulent activity. ITTC Report on Online Identity Theft Technology and Countermeasures (Aaron Emigh) n http: //www. antiphising. org, viewed March 15, 2007 43

Tricks used in Spoof Emails “Spoofing” reputable companies n Creating a plausible premise (i. Tricks used in Spoof Emails “Spoofing” reputable companies n Creating a plausible premise (i. e. account information is outdated, credit card is expired, or account has been randomly selected for verification) n Requires a quick response n Collecting information in the email n Links to web sites that gather information n Using IP address n Anatomy of a Phishing Email By Christine E. Drake, Jonathan J. Oliver, and Eugene J. Koontz Mail. Frontier, Inc. , 2004 44

Phishing Examples: US Bank Source: http: //www. antiphishing. org, viewed March 27, 2007 45 Phishing Examples: US Bank Source: http: //www. antiphishing. org, viewed March 27, 2007 45

Phishing Examples: US Bank Source: http: //www. antiphishing. org, viewed March 27, 2007 46 Phishing Examples: US Bank Source: http: //www. antiphishing. org, viewed March 27, 2007 46

Phishing Targeted Industry Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, Phishing Targeted Industry Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, http: //www. antiphishing. org, viewed March 27, 2007 47

Phishing Reports Received by Anti-Phishing Working Group (APWG) Source: Phishing Attack Trends Report – Phishing Reports Received by Anti-Phishing Working Group (APWG) Source: Phishing Attack Trends Report – January 2007 & January 2006, Anti-Phishing Working Group, http: //www. antiphishing. org, viewed March 27, 2007 48

Top 10 Phishing Sites Hosting Countries Source: Phishing Attack Trends Report – January 2007, Top 10 Phishing Sites Hosting Countries Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, http: //www. antiphishing. org, viewed March 27, 2007 49

Anti-phishing Solution n n Implement educational programs for employees and users regarding phishing attack Anti-phishing Solution n n Implement educational programs for employees and users regarding phishing attack Strong authentication – use digital signatures for outgoing emails Phishing responsive service – users can forward emails to company to validation whether it really comes from credible sources Create international network of contacts in the legal, government and internet service provider communities to identify sources of phishing attacks, shut down website and phiser’s account Source: http: //www. verisign. com/static/031240. pdf, viewed March 27, 2007 50

Emerging Trends in IT Security 51 Emerging Trends in IT Security 51

Biometrics: The science and technology of measuring and statistically analyzing biological data. n “Biometrics Biometrics: The science and technology of measuring and statistically analyzing biological data. n “Biometrics introduces a new option for identifying users as they interact with computer systems and networks. ” n Fumy W. and Sauerbrey, J. , Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006. 52

Biometrics Face Recognition – systematically analyzing specific features that are common to everyone’s face Biometrics Face Recognition – systematically analyzing specific features that are common to everyone’s face n Fingerprint Identification – comparing the pattern of ridges in fingerprints n Hand Geometry Biometrics – works in harsh environments n Retina Scan – No known way to replicate a retina. A good scan takes about 15 seconds n www. technovelgy. com/ct/technology-article. asp? artnum=16 viewed March 17, 2007 53

Biometrics Iris Scan – There are ways of encoding the iris scan to carry Biometrics Iris Scan – There are ways of encoding the iris scan to carry around in a “barcode” format n Signature – Digitized n Voice Analysis n www. technovelgy. com/ct/technology -article. asp? artnum=16 viewed March 17, 2007 54

Biometric Comparisons http: //www. itsc. org. sg/synthesis/2002/biometric. pdf 55 Biometric Comparisons http: //www. itsc. org. sg/synthesis/2002/biometric. pdf 55

Smart Cards n Definition: n a plastic card containing a microprocessor that enables the Smart Cards n Definition: n a plastic card containing a microprocessor that enables the holder to perform operations requiring data that is stored in the microprocessor. Smart cards include a microchip for on card processing capabilities and secure, portable storage for static and dynamic passwords, digital certificates and private keys, biometrics and other data. http: //en. wikipedia. org/wiki/Smart_card , viewed March 18, 2007. 56

Smart Cards Two Categories: Memory Cards Microprocessor Cards Methods of Reading Cards: Contact Smart Smart Cards Two Categories: Memory Cards Microprocessor Cards Methods of Reading Cards: Contact Smart Card Readers (ISO/IEC 7816/7810) Contactless Smart Card Readers (ISO/IEC 14443) 57 “Real Big Price Tag for Real ID” Security: For Buyers of Products, Systems, & Services. Nov 2006, Vol 43 Issue 11, pg

Security Features 58 Security Features 58

Security Features – Biometrics Based on physical human characteristics, making it difficult to replicate Security Features – Biometrics Based on physical human characteristics, making it difficult to replicate n Can not be lost or stolen n Potential to identify people at a high degree of certainty n http: //www. ax. sbiometrics. com/riskans. htm Viewed March 17, 2007 59

Security Features – Smart Cards n Instead of a signature, transactions require pin numbers Security Features – Smart Cards n Instead of a signature, transactions require pin numbers n Merchants must meet tougher standards for collection and storage of card data n Card readers can obtain information directly from card instead of retrieving it over a network n Difficult to replicate Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 Pg. 34 -36. 60

Security Features – Smart Cards n Can be Used in Collaboration with Biometrics, Making Security Features – Smart Cards n Can be Used in Collaboration with Biometrics, Making Verification more Secure n Computations Can be Done in the Card Itself, so keys need to only exist in the cards n Each card can Contain a Personal Firewall, so data is only extracted when external system is authenticated as having rights to the data Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater. . Feb 2003. pp 2 -30. Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 61 Pg. 34 -36.

Components 62 Components 62

Components – Biometric Devices n n n n Usability – should come with a Components – Biometric Devices n n n n Usability – should come with a practical user interface Integration Cost – Devices range in price from $50 -$2000 Throughput – Time it takes to read the data. (2 seconds to read a fingerprint, 30 seconds to read an iris scan) Trigger – External or Automated Acquisition Time – Images per second Date Transfer Rate – Images transferred per second Ergonomic Design Fumy W. and Sauerbrey, J. , Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006 63

Components – Smart Card n CPU- manages data, executes cryptographic algorithms, and enforces application Components – Smart Card n CPU- manages data, executes cryptographic algorithms, and enforces application rules n ROM- stores operating system software n RAM- temporary storage of data n Electrically Erasable Programmable Read. Only Memory (EEPROM)- stores small amounts of volatile (configuration) data “Smart Cards Get Toe-Hold”. Security Magazine. Nov 2006. pg. 24. 64

Advantages to Managers 65 Advantages to Managers 65

Advantages – Biometrics Cost savings in the areas such as Loss Prevention and/or Time Advantages – Biometrics Cost savings in the areas such as Loss Prevention and/or Time & Attendance n Provides extremely accurate and secured access to information n Can be done rapidly and with minimum training n Identities can be linked to missing, stolen or altered documents n Prevents lost, stolen, or borrowed Id cards n http: //www. ax. sbiometrics. com Viewed March 17, 2007 http: //www. technology. com/ct/technology-article. asp? artnum=14 Viewed March 17, 2007 66

Advantages – Smart Cards Increased Security n Cost Savings n Easy to Use (similar Advantages – Smart Cards Increased Security n Cost Savings n Easy to Use (similar to using a debit card) n Faster Access to Secured Buildings n Eliminates Multiple Passwords Associated With Different Software n Ability to Continuously Add New Applications n “Benefits of Contactless Smart Cards”. Smarter Buildings. Oct 2006. p 26. 67

Disadvantages to Managers 68 Disadvantages to Managers 68

Disadvantages - Biometrics Cost n Not always accessible for those with disabilities n Can Disadvantages - Biometrics Cost n Not always accessible for those with disabilities n Can be viewed as an invasion of privacy n http: //www. cs. rockhurst. edu/semin ars/CS 2003/Biometrics/index. html Viewed March 17, 2007 http: //ezinearticles. com/? biometrics Viewed March 17, 2007 69

Disadvantages – Smart Cards n Failure Rate n Expensive to Implement n Flexibility of Disadvantages – Smart Cards n Failure Rate n Expensive to Implement n Flexibility of Plastic Card n Hackers Keep up with Technology as soon as it is Developed Flavelle, Dana. “Chip-Based Cards may Cut Into Fraud”. Toronto Star. April 2005. Titus, John. “For Smart Cards Security is Key”. Electronic Component News. June 2006. Vol 50 Issue 7, PP. 27 -28. 70

Applications 71 Applications 71

Applications - Biometrics n n n Financial Services (ATM’s) Immigration and Border Control Social Applications - Biometrics n n n Financial Services (ATM’s) Immigration and Border Control Social Services – Fraud Prevention Health Care – Security/Privacy of records Physical Access Control – Government/Office buildings Time & Attendance Computer Security – Personal Access, Network Access, Internet, E -Commerce Telecommunications – Mobile Phones, Call Center Technology Law Enforcement – Criminal Investigation National Security Education/Schools http: //ezinearticles. com/? biometrics Viewed March 17, 2007 72

Applications Using Smart Cards Payment Systems n Mobile Phones n Physical/logical access control n Applications Using Smart Cards Payment Systems n Mobile Phones n Physical/logical access control n Secure ID n Public Transit n Pay TV n Voting Systems n Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 PP. 34 -36. Center For Multimedia Education and Application Development. Mulimedia University. www. cmead. mmu. edu. 2005. 73

Security Breaches 74 Security Breaches 74

Security Breaches - Biometrics n n Hard to bypass biometric security measures because they Security Breaches - Biometrics n n Hard to bypass biometric security measures because they are based on physical traits that are unique to individuals Mythbusters Video http: //youtube. com/watch? v=Zncdgwj. Qxm 0 Viewed March 17, 2007 75

Security Breaches – Smart Cards n Dissection of the Card’s Components Hackers can simply Security Breaches – Smart Cards n Dissection of the Card’s Components Hackers can simply remove the MCU's passivation layer and use a microscope to explore the chip or use a focused ion-beam (FIB) system to tamper with it Titus, Jon. “For Smart Cards, Security is the Key”. ECN Magazine. June 2006. pp 27 -28. 76

Security Breaches – Smart Cards n Differential Power Analysis An attack that observes a Security Breaches – Smart Cards n Differential Power Analysis An attack that observes a device’s power consumption which is highly linked to which computational power is being used, it distinguishes nonvolatile memory programming, and identifies cryptographic routines as they execute. Video n Tearings (Logic Errors and Power Disruptions) These problems can reveal secrets, allowing hackers to get defective computations to execute which then helps “crack the code” Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 PP. 34 -36. Messerges, T. S, E. A. Dabbish, R. H. Sloan, “Examining Smart Card Security Under the Threat of Power Analysis Attacks”. IEE Transaction on Computers. May 2002. 77

"As the microprocessors in smart cards get more complicated and the amount of code increases, the chance of bugs increases substantially, " -Paul Krocker, President of Cryptography Research 78

Cost Considerations of Implementation 79 Cost Considerations of Implementation 79

Cost Considerations - Biometrics Hardware and Software n Database updating n Installation n Connection/User Cost Considerations - Biometrics Hardware and Software n Database updating n Installation n Connection/User system integration n System Maintenance n Staff Training n Identification collection and information maintenance n http: //webhost. bridgew. edu/jcolby/it 525/cost. html Viewed March 17, 2007 80

Cost Savings That’s Savings of more than $2 million for every 2, 000 employees!!!!! Cost Savings That’s Savings of more than $2 million for every 2, 000 employees!!!!! “Smart Cards, Smart ROI”. Security Magazine. January 2006. pp 24 -26. 81

Companies Using Smart Cards U. S. Pentagon 3. 1 million DOD personnel use common Companies Using Smart Cards U. S. Pentagon 3. 1 million DOD personnel use common access cards; Cards are used to log onto computers and add digital signatures to documents. Boeing Company 200, 000 employees, contractors, and partners received multifunction smart cards that primarily provide access to information systems and buildings. Still in 5 year implementation period that started in 2004. Carlson, Caren. “Are Health Network The Queens You Who You Say You Are? ”. Eweek. April 17, 2006. 82

Best Practices 83 Best Practices 83

Best Practices – IT Security Develop IT security policy and procedures n Assess security Best Practices – IT Security Develop IT security policy and procedures n Assess security standards and compliance with these standards n Analyze threats and find ways to mitigate risks n Monitor IT security and efficiently operate a security-enhanced system n http: //www. microsoft. com/technet/itshowcase/content/securitywebapps. mspx, viewed April 6, 2007 84

Best Practices – IT Security http: //www. microsoft. com/technet/itshowcase/content/securitywebapps. mspx, viewed April 6, 2007 Best Practices – IT Security http: //www. microsoft. com/technet/itshowcase/content/securitywebapps. mspx, viewed April 6, 2007 85

Best Practices – Doe Run n n The first task of the newly created Best Practices – Doe Run n n The first task of the newly created CSO position was to create a security policy and procedures manual. The CSO continually monitors compliance with the security policy manual and updates accordingly. CSO performs security assessments to identify new threats and then develops procedures to protect IT assets and information CSO continually monitors systems to ensure they are operating efficiently 86

Best Practices – Smart Cards n Consider all media on which the info is Best Practices – Smart Cards n Consider all media on which the info is stored and transmitted, not just the info on the card n Transmit Only Encrypted Info n Remove all info captured by ID card reader as soon as the transaction is complete n Use checklists for individual data fields to determine what rights each authorized group has Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater. . Feb 2003. pp 2 -30 87

Best Practices – Smart Cards n Maximize offline portion of transactions, while minimizing online Best Practices – Smart Cards n Maximize offline portion of transactions, while minimizing online access n Allow cardholders to authorize card content extraction with a password, PIN, and/or biometrics for all transactions n Construct Applications so transaction records cannot be used as surveillance tools Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart 88 Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater. . Feb 2003. pp 2 -30

Recap IT security challenges are continually increasing. n Security standards evolving and adapting to Recap IT security challenges are continually increasing. n Security standards evolving and adapting to meet new IT security challenges. n New and innovative security procedures: n Smart Cards n Biometrics n 89

90 90