IT Security and Privacy
Fyfy Effendy
Ross Hardy
Amy Kirchner
Amanda MacDonell
Carrie Weinkein
1
Agenda







Overview
Security Breaches
Fraud and Identity Theft
Chief Security Officer
Phishing
Emerging Technologies
Best Practices
2
IT Security Defined
Information security is the process of
protecting information systems and
data from unauthorized access, use,
disclosure, destruction, modification, or
disruption. Information security is
concerned with the confidentiality,
integrity, and availability of data
regardless of the form the data may
take: electronic, print, or other forms.
http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007
3
Who cares about IT
Security and Privacy?
4
Management Does!
Security and privacy rose from
19th in 1990 to 2nd in 2005 as a top
management concern.
Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly
Executive, Vol. 5, No. 2, June 2006, pp 81-99
5
CIA Triangle

Three core concepts form the core
principles of information security.

Confidentiality:


Integrity:


Information of confidential nature.
Data cannot be changed, deleted, or altered without authorization.
Availability:

All information and computer systems used in the protection of
information are available and functioning properly.
Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice
Experiences, Technologies. Publicis Corporate Publishing. 2006.
6
Percentage of IT budget spent on
IT security
Unknown
12%
Less than 1%
21%
1-2%
26%
3-5%
6%
6-7%
11%
8-10%
10%
More than 10%
13%
0%
5%
10%
15%
20%
25%
30%
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security
Institute. 2006. PP 1-25.
7
Security Breaches
8
Common Types of Potential IT
Security Breaches

There are many types of
potential IT security threats:








Viruses
Theft
Fraud
Spam
Worms
Phishing/Spoofing
Sabotage
Social Networking
Garg, Ashisha, Jeffrey Curtis, and Hilary Halper. “The Financial Impact of IT Security Breaches: What Do Investors Think?”. Security Management
Practices. March/April 2003. PP 1-9.
9
Types of Attacks or Misuse
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 10
Institute. 2006. PP 1-25.
Trends in Information Security
Breaches
“Special Report: The Shift in Data Security- Stop the Insider Threat”. CSO FOCUS. October 2005. PP 2-8
11
Trends in Information Security
Breaches
http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html, viewed April 06, 2007
12
Trends in Information Security
Breaches
http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html, viewed April 06, 2007
13
Frequency of Cyber Security
Breaches
How many incidents,
by % of respondents
1-5
6-10
>10
Don't know
2006
48
15
9
28
2005
43
19
9
28
2004
47
20
12
22
2003
38
20
16
26
2002
42
20
15
23
2001
33
24
11
31
2000
33
23
13
31
1999
34
22
14
29
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 14
Institute. 2006. PP 1-25.
Why should general
managers care about IT
security breaches?
15
Cost of Cyber Security Breach

Tangible






Lost business
Lost productivity of non IT staffs
Labor and material costs associated with the IT staff ’s
detection, containment, repair and reconstitution of the
breached resources
Legal costs associated with the collection of forensic
evidence and the prosecution of an attacker
Public relations consulting costs, to prepare statements
for the press, and answer customer questions
Increases in insurance premiums
What Does a Computer Breach Really Cost? Anita D. D’Amico, Ph.D.
Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000
16
Cost of Cyber Security Breach

Intangible
Customers’ loss of trust in the organization
 Failure to win new accounts due to bad press
associated with the breach
 Competitor’s access to confidential or proprietary
information

What Does a Computer Breach Really Cost? Anita D. D’Amico, Ph.D.
Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000
17
Amount Lost from Security Breach by Type
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 18
Institute. 2006. PP 1-25.
Outsourcing Computer Security
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 19
Institute. 2006. PP 1-25.
Outsourcing Computer Security


Most of the respondents did not outsource the
IT security
IT security is one of the core capabilities and
therefore should be kept in house.
Source: Lacity, M., “Twenty Customer and Supplier Lessons on IT Sourcing,”
Cutter Consortium, Vol. 5, 12, 2004, pp.1-27
20
Most Critical Issues for the Next 2 years
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 21
Institute. 2006. PP 1-25.
22
Fraud and Identity Theft
“Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 23
Commission. May 12 2006. PP 2-32.
Fraud and Identity Theft
“Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 24
Commission. May 12 2006. PP 2-32.
Fraud and Identity Theft
“Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 25
Commission. May 12 2006. PP 2-32.
Fraud and Identity Theft
“Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 26
Commission. May 12 2006. PP 2-32.
Chief Security Officer
27
Role of the CSO



Good communicator
Able to promote IT security projects as business
projects
Knowledgeable in a wide array of areas
including IT, business, legal and policy
McAdams, A., “Security and Risk Management – A Fundamental Business Issue”
Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36
28
Functions of the CSO







Provide leadership
Establish an integrated information systems framework
Create and implement security policies and procedures
Set and monitor metrics
Allocate funding to IT projects
Create training programs for employees
Create support system for these programs
McAdams, A., “Security and Risk Management – A Fundamental Business Issue”
Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36
29
Background of a CSO


Come from a predominantly IS background
Other common backgrounds include:
Corporate Security (35%)
 Military (32%)
 Law Enforcement (21%)
 Business Operations (19%)
 Audit (18%)

Petersen, Rodney, “The Role of the CSO” Educause Review September/October 2006 Pages 73-82
30
Importance of the CSO
The Global State of Information Security 2006 Survey,
http://secure.idg.com.au/images/cio/CSO_Security_Survey.pdf, viewed April 14, 2007
31
Doe Run Company
St. Louis, Missouri
32
Company Information – Doe Run







International natural resource company
Mining, smelting, recycling and fabrication of metals
North America’s largest integrated lead producer and
third largest total lead producer in the world
Also produces zinc, copper, gold and silver
Locations in Missouri, Washington, Arizona and Peru
4,000 employees worldwide
2 Billion in annual sales
http://www.doerun.com/about/company.aspx, viewed March 13, 2007
33
Company Information – Doe Run



Founded in 1864 when St. Joseph Lead
Company purchased land known for its lead
deposits in Southeast Missouri.
The Southeast Missouri location operates the
mining and milling division and extracts around
70% of the primary lead supply in the US.
In 2003, 4.6 million tons of ore mined and
milled at this location.
http://www.doerun.com/about/company.aspx, viewed March 13, 2007
34
Company Information – Doe Run




Began operating a smelter in Herculaneum, MO
in 1892 and all smelting activities were
consolidated there in 1920.
24-hour smelter that extracts lead from ore
received from the Southeast MO division.
In 2003, produced 146,746 tons of primary lead.
In 1997, more than doubled in size by acquiring
refineries and smelters in La Oroya, Peru.
http://www.doerun.com/about/company.aspx, viewed March 13, 2007
35
Company Information – Doe Run




Later that year they also acquired copper mines
in Corbiza, Peru and created Doe Run Peru.
In, 2003 the Corbiza copper mine produced
67,216 metric tons of copper concentrate.
From this copper concentrate, the La Oroya
division produces 15,700 metric tons of metallic
copper.
They now operate six mines, four mills, one
primary smelter and one lead recycling plant.
http://www.doerun.com/about/company.aspx, viewed March 13, 2007
36
Chief Security Officer
Craig Williams
 Reports to the CIO who reports directly to
CEO
 Directly responsible for all data and physical
security in North and South America
 Annual IT budget of $2.8 million with onethird allocated to IT security
 50 employees in the IT department with 4
dedicated to security

Craig Williams, CISO, Doe Run Company
Interviewed by phone by Carrie Weinkein, March 15, 2007
37
Provisions for IT Security – Doe Run




Security policy and procedures manual
Employee security awareness training
Intrusion prevention and detection
Biometric technology for mobile computing
Craig Williams, CISO, Doe Run Company
Interviewed by phone by Carrie Weinkein, March 15, 2007
38
Common Threats – Doe Run

Social Engineering
Phone Calls
 Visits



Virus Attacks
Hackers

Moved website from in-house to hosted
Craig Williams, CISO, Doe Run Company
Interviewed by phone by Carrie Weinkein, March 15, 2007
39
IT Security – Doe Run

Benefits
IT security has increased 75% since CSO position
was created (one and a half years ago)
 Have been able to get increased budget for IT
security


Limitations

Not enough employees dedicated to IT security
Craig Williams, CISO, Doe Run Company
Interviewed by phone by Carrie Weinkein, March 15, 2007
40
Future of IT Security – Doe Run



Implement data mining security and encryption
Security policy updates
Continue doing security assessments
Attack and penetration
 Physical


Door access using biometric technology
Will be utilized in new top secret area
 Adhere to National Security Advisory Standards

Craig Williams, CISO, Doe Run Company
Interviewed by phone by Carrie Weinkein, March 15, 2007
41
Phishing
42
Phishing




Online identity theft in which confidential
information is obtained from an individual.
Direct phishing-related loss to US Banks
and credit card issuers in 2003 was $1.2
billion
Indirect loss (customer service expenses,
account replacement costs, increased
expenses due to decreased use of online
service) are much higher
Causes substantial hardship for victimized
consumers, due to the difficulty of repairing
credit damaged by fraudulent activity.
ITTC Report on Online Identity Theft Technology and Countermeasures (Aaron Emigh)
http://www.antiphising.org, viewed March 15, 2007
43
Tricks used in Spoof Emails






“Spoofing” reputable companies
Creating a plausible premise (i.e. account
information is outdated, credit card is expired,
or account has been randomly selected for
verification)
Requires a quick response
Collecting information in the email
Links to web sites that gather information
Using IP address
Anatomy of a Phishing Email
By Christine E. Drake, Jonathan J. Oliver, and Eugene J. Koontz
MailFrontier, Inc., 2004
44
Phishing Examples: US Bank
Source: http://www.antiphishing.org, viewed March 27, 2007
45
Phishing Examples: US Bank
Source: http://www.antiphishing.org, viewed March 27, 2007
46
Phishing Targeted Industry
Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group,
http://www.antiphishing.org, viewed March 27, 2007
47
Number of phishing reports submitted to APWG
Phishing Reports Received by Anti-Phishing
Working Group (APWG)
30000
25000
20000
15000
10000
5000
0
2006
2005
Jan
Feb
March
Apr
May
June
July
Aug
Sept
Oct
Nov
Dec
Month
Source: Phishing Attack Trends Report – January 2007 & January 2006, Anti-Phishing Working Group,
http://www.antiphishing.org, viewed March 27, 2007
48
Top 10 Phishing Sites Hosting
Countries
Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group,
http://www.antiphishing.org, viewed March 27, 2007
49
Anti-phishing Solution




Implement educational programs for employees and
users regarding phishing attack
Strong authentication – use digital signatures for
outgoing emails
Phishing responsive service – users can forward emails
to company to validation whether it really comes from
credible sources
Create international network of contacts in the legal,
government and internet service provider communities
to identify sources of phishing attacks, shut down
website and phiser’s account
Source: http://www.verisign.com/static/031240.pdf, viewed March 27, 2007
50
Emerging Trends in IT Security
51
Biometrics


Biometrics: The science and technology of measuring
and statistically analyzing biological data.
“Biometrics introduces a new option for
identifying users as they interact with computer
systems and networks.”
Fumy W. and Sauerbrey, J., Enterprise Security IT
Security Solutions: Concepts, Practice Experiences,
Technologies. Publicis Corporate Publishing. 2006.
52
Biometrics




Face Recognition – systematically analyzing
specific features that are common to everyone’s
face
Fingerprint Identification – comparing the
pattern of ridges in fingerprints
Hand Geometry Biometrics – works in harsh
environments
Retina Scan – No known way to replicate a
retina. A good scan takes about 15 seconds
www.technovelgy.com/ct/technology-article.asp?artnum=16 viewed March 17, 2007
53
Biometrics



Iris Scan – There are ways of encoding the iris
scan to carry around in a “barcode” format
Signature – Digitized
Voice Analysis
www.technovelgy.com/ct/technologyarticle.asp?artnum=16 viewed March
17, 2007
54
Biometric Comparisons
http://www.itsc.org.sg/synthesis/2002/biometric.pdf
55
Smart Cards

Definition:

a plastic card containing a microprocessor that
enables the holder to perform operations requiring
data that is stored in the microprocessor.
Smart cards include a microchip for on card
processing capabilities and secure, portable storage
for static and dynamic passwords, digital certificates
and private keys, biometrics and other data.
http://en.wikipedia.org/wiki/Smart_card , viewed March 18, 2007.
56
Smart Cards
Two Categories:
Memory Cards
Microprocessor Cards
Methods of Reading Cards:
Contact Smart Card Readers
(ISO/IEC 7816/7810)
Contactless Smart Card Readers
(ISO/IEC 14443)
57
“Real Big Price Tag for Real ID” Security: For Buyers of Products, Systems, & Services. Nov2006, Vol 43 Issue 11, pg 24
Security Features
58
Security Features – Biometrics



Based on physical human characteristics, making
it difficult to replicate
Can not be lost or stolen
Potential to identify people at a high degree of
certainty
http://www.ax.sbiometrics.com/riskans.htm
Viewed March 17, 2007
59
Security Features – Smart Cards

Instead of a signature, transactions require pin
numbers

Merchants must meet tougher standards for collection
and storage of card data

Card readers can obtain information directly from
card instead of retrieving it over a network

Difficult to replicate
Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43
Issue 3 Pg. 34-36.
60
Security Features – Smart Cards

Can be Used in Collaboration with Biometrics, Making
Verification more Secure

Computations Can be Done in the Card Itself, so keys need to
only exist in the cards

Each card can Contain a Personal Firewall, so data is only
extracted when external system is authenticated as having rights
to the data
Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh . “Privacy and Security Identification Systems: The Role of
Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30.
Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3
61
Pg. 34-36.
Components
62
Components – Biometric Devices








Usability – should come with a practical user interface
Integration
Cost – Devices range in price from $50-$2000
Throughput – Time it takes to read the data. (2 seconds
to read a fingerprint, 30 seconds to read an iris scan)
Trigger – External or Automated
Acquisition Time – Images per second
Date Transfer Rate – Images transferred per second
Ergonomic Design
Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies.
Publicis Corporate Publishing. 2006
63
Components – Smart Card

CPU- manages data, executes cryptographic
algorithms, and enforces application rules

ROM- stores operating system software

RAM- temporary storage of data

Electrically Erasable Programmable ReadOnly Memory (EEPROM)- stores small
amounts of volatile (configuration) data
“Smart Cards Get Toe-Hold”. Security Magazine. Nov 2006. pg. 24.
64
Advantages to Managers
65
Advantages – Biometrics





Cost savings in the areas such as Loss
Prevention and/or Time & Attendance
Provides extremely accurate and secured access
to information
Can be done rapidly and with minimum training
Identities can be linked to missing, stolen or
altered documents
Prevents lost, stolen, or borrowed Id cards
http://www.ax.sbiometrics.com Viewed March 17, 2007
http://www.technology.com/ct/technology-article.asp?artnum=14 Viewed March 17, 2007
66
Advantages – Smart Cards






Increased Security
Cost Savings
Easy to Use (similar to using a debit card)
Faster Access to Secured Buildings
Eliminates Multiple Passwords Associated With
Different Software
Ability to Continuously Add New Applications
“Benefits of Contactless Smart Cards”. Smarter Buildings. Oct 2006. p 26.
67
Disadvantages to Managers
68
Disadvantages - Biometrics



Cost
Not always accessible for those with disabilities
Can be viewed as an invasion of privacy
http://www.cs.rockhurst.edu/semina
rs/CS2003/Biometrics/index.html
Viewed March 17,2007
http://ezinearticles.com/?biometrics
Viewed March 17, 2007
69
Disadvantages – Smart Cards

Failure Rate

Expensive to Implement

Flexibility of Plastic Card

Hackers Keep up with Technology as soon as it
is Developed
Flavelle, Dana. “Chip-Based Cards may Cut Into Fraud”. Toronto Star. April 2005.
Titus, John. “For Smart Cards Security is Key”. Electronic Component News. June 2006. Vol 50 Issue 7, PP. 27-28.
70
Applications
71
Applications - Biometrics











Financial Services (ATM’s)
Immigration and Border Control
Social Services – Fraud Prevention
Health Care – Security/Privacy of records
Physical Access Control – Government/Office buildings
Time & Attendance
Computer Security – Personal Access, Network Access, Internet,
E-Commerce
Telecommunications – Mobile Phones, Call Center Technology
Law Enforcement – Criminal Investigation
National Security
Education/Schools
http://ezinearticles.com/?biometrics Viewed March 17, 2007
72
Applications Using Smart Cards







Payment Systems
Mobile Phones
Physical/logical access
control
Secure ID
Public Transit
Pay TV
Voting Systems
Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3
PP. 34-36.
Center For Multimedia Education and Application Development. Mulimedia University. www.cmead.mmu.edu. 2005.
73
Security Breaches
74
Security Breaches - Biometrics


Hard to bypass biometric security measures
because they are based on physical traits that are
unique to individuals
Mythbusters Video
http://youtube.com/watch?v=ZncdgwjQxm0 Viewed March 17, 2007
75
Security Breaches – Smart Cards

Dissection of the Card’s Components
Hackers can simply remove the MCU's passivation layer and use a
microscope to explore the chip or use a focused ion-beam (FIB) system
to tamper with it
Titus, Jon. “For Smart Cards, Security is the Key”. ECN Magazine. June 2006. pp 27-28.
76
Security Breaches – Smart Cards

Differential Power Analysis
An attack that observes a device’s power consumption which is highly
linked to which computational power is being used, it distinguishes nonvolatile memory programming, and identifies cryptographic routines as
they execute.
Video

Tearings (Logic Errors and Power
Disruptions)
These problems can reveal secrets, allowing hackers to get defective
computations to execute which then helps “crack the code”
Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 PP. 34-36.
Messerges, T.S, E.A. Dabbish, R.H. Sloan, “Examining Smart Card Security Under the Threat of Power Analysis Attacks”. IEE
Transaction on Computers. May 2002.
77
"As the microprocessors in smart cards
get more complicated and the amount
of code increases, the chance of bugs
increases substantially,"
-Paul Krocker, President of Cryptography
Research
78
Cost Considerations of
Implementation
79
Cost Considerations - Biometrics







Hardware and Software
Database updating
Installation
Connection/User system integration
System Maintenance
Staff Training
Identification collection and information
maintenance
http://webhost.bridgew.edu/jcolby/it525/cost.html Viewed March 17, 2007
80
Cost Savings
That’s Savings of more than $2 million for every 2,000 employees!!!!!!!!!!
“Smart Cards, Smart ROI”. Security Magazine. January 2006. pp 24-26.
81
Companies Using Smart Cards
U.S. Pentagon
3.1 million DOD personnel use common access cards; Cards
are used to log onto computers and add digital signatures
to documents.
Boeing Company
200,000 employees, contractors, and partners
received multifunction smart cards that primarily
provide access to information systems and
buildings. Still in 5 year implementation period
that started in 2004.
The Queens Health Network
14,000 cards have been issued. Cards contain patient’s
photo ID, name, address, emergency contact, allergies, current
medications, and recent
lab results.
Carlson, Caren. “Are You Who You Say You Are?”. Eweek. April 17, 2006.
82
Best Practices
83
Best Practices – IT Security




Develop IT security policy and procedures
Assess security standards and compliance with
these standards
Analyze threats and find ways to mitigate risks
Monitor IT security and efficiently operate a
security-enhanced system
http://www.microsoft.com/technet/itshowcase/content/securitywebapps.mspx, viewed April 6, 2007
84
Best Practices – IT Security
http://www.microsoft.com/technet/itshowcase/content/securitywebapps.mspx, viewed April 6, 2007
85
Best Practices – Doe Run




The first task of the newly created CSO position was to
create a security policy and procedures manual.
The CSO continually monitors compliance with the
security policy manual and updates accordingly.
CSO performs security assessments to identify new
threats and then develops procedures to protect IT
assets and information
CSO continually monitors systems to ensure they are
operating efficiently
86
Best Practices – Smart Cards

Consider all media on which the info is stored and
transmitted, not just the info on the card

Transmit Only Encrypted Info

Remove all info captured by ID card reader as soon as the
transaction is complete

Use checklists for individual data fields to determine what
rights each authorized group has
Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart
Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30
87
Best Practices – Smart Cards

Maximize offline portion of transactions, while
minimizing online access

Allow cardholders to authorize card content extraction
with a password, PIN, and/or biometrics for all
transactions

Construct Applications so transaction records cannot be
used as surveillance tools
Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart
Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30
88
Recap



IT security challenges are continually increasing.
Security standards evolving and adapting to
meet new IT security challenges.
New and innovative security procedures:
Smart Cards
 Biometrics

89
90