IT Security and Privacy Fyfy Effendy Ross Hardy Amy Kirchner Amanda MacDonell Carrie Weinkein 1 Agenda Overview Security Breaches Fraud and Identity Theft Chief Security Officer Phishing Emerging Technologies Best Practices 2 IT Security Defined Information security is the process of protecting information systems and data from unauthorized access, use, disclosure, destruction, modification, or disruption. Information security is concerned with the confidentiality, integrity, and availability of data regardless of the form the data may take: electronic, print, or other forms. http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007 3 Who cares about IT Security and Privacy? 4 Management Does! Security and privacy rose from 19th in 1990 to 2nd in 2005 as a top management concern. Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2, June 2006, pp 81-99 5 CIA Triangle Three core concepts form the core principles of information security. Confidentiality: Integrity: Information of confidential nature. Data cannot be changed, deleted, or altered without authorization. Availability: All information and computer systems used in the protection of information are available and functioning properly. Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006. 6 Percentage of IT budget spent on IT security Unknown 12% Less than 1% 21% 1-2% 26% 3-5% 6% 6-7% 11% 8-10% 10% More than 10% 13% 0% 5% 10% 15% 20% 25% 30% Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25. 7 Security Breaches 8 Common Types of Potential IT Security Breaches There are many types of potential IT security threats: Viruses Theft Fraud Spam Worms Phishing/Spoofing Sabotage Social Networking Garg, Ashisha, Jeffrey Curtis, and Hilary Halper. “The Financial Impact of IT Security Breaches: What Do Investors Think?”. Security Management Practices. March/April 2003. PP 1-9. 9 Types of Attacks or Misuse Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 10 Institute. 2006. PP 1-25. Trends in Information Security Breaches “Special Report: The Shift in Data Security- Stop the Insider Threat”. CSO FOCUS. October 2005. PP 2-8 11 Trends in Information Security Breaches http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html, viewed April 06, 2007 12 Trends in Information Security Breaches http://www.aarp.org/research/frauds-scams/fraud/dd142_security_breach.html, viewed April 06, 2007 13 Frequency of Cyber Security Breaches How many incidents, by % of respondents 1-5 6-10 >10 Don't know 2006 48 15 9 28 2005 43 19 9 28 2004 47 20 12 22 2003 38 20 16 26 2002 42 20 15 23 2001 33 24 11 31 2000 33 23 13 31 1999 34 22 14 29 Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 14 Institute. 2006. PP 1-25. Why should general managers care about IT security breaches? 15 Cost of Cyber Security Breach Tangible Lost business Lost productivity of non IT staffs Labor and material costs associated with the IT staff ’s detection, containment, repair and reconstitution of the breached resources Legal costs associated with the collection of forensic evidence and the prosecution of an attacker Public relations consulting costs, to prepare statements for the press, and answer customer questions Increases in insurance premiums What Does a Computer Breach Really Cost? Anita D. D’Amico, Ph.D. Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000 16 Cost of Cyber Security Breach Intangible Customers’ loss of trust in the organization Failure to win new accounts due to bad press associated with the breach Competitor’s access to confidential or proprietary information What Does a Computer Breach Really Cost? Anita D. D’Amico, Ph.D. Secure Decisions, a Division of Applied Visions, Inc., September 7, 2000 17 Amount Lost from Security Breach by Type Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 18 Institute. 2006. PP 1-25. Outsourcing Computer Security Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 19 Institute. 2006. PP 1-25. Outsourcing Computer Security Most of the respondents did not outsource the IT security IT security is one of the core capabilities and therefore should be kept in house. Source: Lacity, M., “Twenty Customer and Supplier Lessons on IT Sourcing,” Cutter Consortium, Vol. 5, 12, 2004, pp.1-27 20 Most Critical Issues for the Next 2 years Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security 21 Institute. 2006. PP 1-25. 22 Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 23 Commission. May 12 2006. PP 2-32. Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 24 Commission. May 12 2006. PP 2-32. Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 25 Commission. May 12 2006. PP 2-32. Fraud and Identity Theft “Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over”. Federal Trade 26 Commission. May 12 2006. PP 2-32. Chief Security Officer 27 Role of the CSO Good communicator Able to promote IT security projects as business projects Knowledgeable in a wide array of areas including IT, business, legal and policy McAdams, A., “Security and Risk Management – A Fundamental Business Issue” Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36 28 Functions of the CSO Provide leadership Establish an integrated information systems framework Create and implement security policies and procedures Set and monitor metrics Allocate funding to IT projects Create training programs for employees Create support system for these programs McAdams, A., “Security and Risk Management – A Fundamental Business Issue” Information Management Journal, Vol 38, Issue 4, July/August 2004, pg 36 29 Background of a CSO Come from a predominantly IS background Other common backgrounds include: Corporate Security (35%) Military (32%) Law Enforcement (21%) Business Operations (19%) Audit (18%) Petersen, Rodney, “The Role of the CSO” Educause Review September/October 2006 Pages 73-82 30 Importance of the CSO The Global State of Information Security 2006 Survey, http://secure.idg.com.au/images/cio/CSO_Security_Survey.pdf, viewed April 14, 2007 31 Doe Run Company St. Louis, Missouri 32 Company Information – Doe Run International natural resource company Mining, smelting, recycling and fabrication of metals North America’s largest integrated lead producer and third largest total lead producer in the world Also produces zinc, copper, gold and silver Locations in Missouri, Washington, Arizona and Peru 4,000 employees worldwide 2 Billion in annual sales http://www.doerun.com/about/company.aspx, viewed March 13, 2007 33 Company Information – Doe Run Founded in 1864 when St. Joseph Lead Company purchased land known for its lead deposits in Southeast Missouri. The Southeast Missouri location operates the mining and milling division and extracts around 70% of the primary lead supply in the US. In 2003, 4.6 million tons of ore mined and milled at this location. http://www.doerun.com/about/company.aspx, viewed March 13, 2007 34 Company Information – Doe Run Began operating a smelter in Herculaneum, MO in 1892 and all smelting activities were consolidated there in 1920. 24-hour smelter that extracts lead from ore received from the Southeast MO division. In 2003, produced 146,746 tons of primary lead. In 1997, more than doubled in size by acquiring refineries and smelters in La Oroya, Peru. http://www.doerun.com/about/company.aspx, viewed March 13, 2007 35 Company Information – Doe Run Later that year they also acquired copper mines in Corbiza, Peru and created Doe Run Peru. In, 2003 the Corbiza copper mine produced 67,216 metric tons of copper concentrate. From this copper concentrate, the La Oroya division produces 15,700 metric tons of metallic copper. They now operate six mines, four mills, one primary smelter and one lead recycling plant. http://www.doerun.com/about/company.aspx, viewed March 13, 2007 36 Chief Security Officer Craig Williams Reports to the CIO who reports directly to CEO Directly responsible for all data and physical security in North and South America Annual IT budget of $2.8 million with onethird allocated to IT security 50 employees in the IT department with 4 dedicated to security Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007 37 Provisions for IT Security – Doe Run Security policy and procedures manual Employee security awareness training Intrusion prevention and detection Biometric technology for mobile computing Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007 38 Common Threats – Doe Run Social Engineering Phone Calls Visits Virus Attacks Hackers Moved website from in-house to hosted Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007 39 IT Security – Doe Run Benefits IT security has increased 75% since CSO position was created (one and a half years ago) Have been able to get increased budget for IT security Limitations Not enough employees dedicated to IT security Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007 40 Future of IT Security – Doe Run Implement data mining security and encryption Security policy updates Continue doing security assessments Attack and penetration Physical Door access using biometric technology Will be utilized in new top secret area Adhere to National Security Advisory Standards Craig Williams, CISO, Doe Run Company Interviewed by phone by Carrie Weinkein, March 15, 2007 41 Phishing 42 Phishing Online identity theft in which confidential information is obtained from an individual. Direct phishing-related loss to US Banks and credit card issuers in 2003 was $1.2 billion Indirect loss (customer service expenses, account replacement costs, increased expenses due to decreased use of online service) are much higher Causes substantial hardship for victimized consumers, due to the difficulty of repairing credit damaged by fraudulent activity. ITTC Report on Online Identity Theft Technology and Countermeasures (Aaron Emigh) http://www.antiphising.org, viewed March 15, 2007 43 Tricks used in Spoof Emails “Spoofing” reputable companies Creating a plausible premise (i.e. account information is outdated, credit card is expired, or account has been randomly selected for verification) Requires a quick response Collecting information in the email Links to web sites that gather information Using IP address Anatomy of a Phishing Email By Christine E. Drake, Jonathan J. Oliver, and Eugene J. Koontz MailFrontier, Inc., 2004 44 Phishing Examples: US Bank Source: http://www.antiphishing.org, viewed March 27, 2007 45 Phishing Examples: US Bank Source: http://www.antiphishing.org, viewed March 27, 2007 46 Phishing Targeted Industry Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007 47 Number of phishing reports submitted to APWG Phishing Reports Received by Anti-Phishing Working Group (APWG) 30000 25000 20000 15000 10000 5000 0 2006 2005 Jan Feb March Apr May June July Aug Sept Oct Nov Dec Month Source: Phishing Attack Trends Report – January 2007 & January 2006, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007 48 Top 10 Phishing Sites Hosting Countries Source: Phishing Attack Trends Report – January 2007, Anti-Phishing Working Group, http://www.antiphishing.org, viewed March 27, 2007 49 Anti-phishing Solution Implement educational programs for employees and users regarding phishing attack Strong authentication – use digital signatures for outgoing emails Phishing responsive service – users can forward emails to company to validation whether it really comes from credible sources Create international network of contacts in the legal, government and internet service provider communities to identify sources of phishing attacks, shut down website and phiser’s account Source: http://www.verisign.com/static/031240.pdf, viewed March 27, 2007 50 Emerging Trends in IT Security 51 Biometrics Biometrics: The science and technology of measuring and statistically analyzing biological data. “Biometrics introduces a new option for identifying users as they interact with computer systems and networks.” Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006. 52 Biometrics Face Recognition – systematically analyzing specific features that are common to everyone’s face Fingerprint Identification – comparing the pattern of ridges in fingerprints Hand Geometry Biometrics – works in harsh environments Retina Scan – No known way to replicate a retina. A good scan takes about 15 seconds www.technovelgy.com/ct/technology-article.asp?artnum=16 viewed March 17, 2007 53 Biometrics Iris Scan – There are ways of encoding the iris scan to carry around in a “barcode” format Signature – Digitized Voice Analysis www.technovelgy.com/ct/technologyarticle.asp?artnum=16 viewed March 17, 2007 54 Biometric Comparisons http://www.itsc.org.sg/synthesis/2002/biometric.pdf 55 Smart Cards Definition: a plastic card containing a microprocessor that enables the holder to perform operations requiring data that is stored in the microprocessor. Smart cards include a microchip for on card processing capabilities and secure, portable storage for static and dynamic passwords, digital certificates and private keys, biometrics and other data. http://en.wikipedia.org/wiki/Smart_card , viewed March 18, 2007. 56 Smart Cards Two Categories: Memory Cards Microprocessor Cards Methods of Reading Cards: Contact Smart Card Readers (ISO/IEC 7816/7810) Contactless Smart Card Readers (ISO/IEC 14443) 57 “Real Big Price Tag for Real ID” Security: For Buyers of Products, Systems, & Services. Nov2006, Vol 43 Issue 11, pg 24 Security Features 58 Security Features – Biometrics Based on physical human characteristics, making it difficult to replicate Can not be lost or stolen Potential to identify people at a high degree of certainty http://www.ax.sbiometrics.com/riskans.htm Viewed March 17, 2007 59 Security Features – Smart Cards Instead of a signature, transactions require pin numbers Merchants must meet tougher standards for collection and storage of card data Card readers can obtain information directly from card instead of retrieving it over a network Difficult to replicate Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 Pg. 34-36. 60 Security Features – Smart Cards Can be Used in Collaboration with Biometrics, Making Verification more Secure Computations Can be Done in the Card Itself, so keys need to only exist in the cards Each card can Contain a Personal Firewall, so data is only extracted when external system is authenticated as having rights to the data Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh . “Privacy and Security Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30. Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 61 Pg. 34-36. Components 62 Components – Biometric Devices Usability – should come with a practical user interface Integration Cost – Devices range in price from $50-$2000 Throughput – Time it takes to read the data. (2 seconds to read a fingerprint, 30 seconds to read an iris scan) Trigger – External or Automated Acquisition Time – Images per second Date Transfer Rate – Images transferred per second Ergonomic Design Fumy W. and Sauerbrey, J., Enterprise Security IT Security Solutions: Concepts, Practice Experiences, Technologies. Publicis Corporate Publishing. 2006 63 Components – Smart Card CPU- manages data, executes cryptographic algorithms, and enforces application rules ROM- stores operating system software RAM- temporary storage of data Electrically Erasable Programmable ReadOnly Memory (EEPROM)- stores small amounts of volatile (configuration) data “Smart Cards Get Toe-Hold”. Security Magazine. Nov 2006. pg. 24. 64 Advantages to Managers 65 Advantages – Biometrics Cost savings in the areas such as Loss Prevention and/or Time & Attendance Provides extremely accurate and secured access to information Can be done rapidly and with minimum training Identities can be linked to missing, stolen or altered documents Prevents lost, stolen, or borrowed Id cards http://www.ax.sbiometrics.com Viewed March 17, 2007 http://www.technology.com/ct/technology-article.asp?artnum=14 Viewed March 17, 2007 66 Advantages – Smart Cards Increased Security Cost Savings Easy to Use (similar to using a debit card) Faster Access to Secured Buildings Eliminates Multiple Passwords Associated With Different Software Ability to Continuously Add New Applications “Benefits of Contactless Smart Cards”. Smarter Buildings. Oct 2006. p 26. 67 Disadvantages to Managers 68 Disadvantages - Biometrics Cost Not always accessible for those with disabilities Can be viewed as an invasion of privacy http://www.cs.rockhurst.edu/semina rs/CS2003/Biometrics/index.html Viewed March 17,2007 http://ezinearticles.com/?biometrics Viewed March 17, 2007 69 Disadvantages – Smart Cards Failure Rate Expensive to Implement Flexibility of Plastic Card Hackers Keep up with Technology as soon as it is Developed Flavelle, Dana. “Chip-Based Cards may Cut Into Fraud”. Toronto Star. April 2005. Titus, John. “For Smart Cards Security is Key”. Electronic Component News. June 2006. Vol 50 Issue 7, PP. 27-28. 70 Applications 71 Applications - Biometrics Financial Services (ATM’s) Immigration and Border Control Social Services – Fraud Prevention Health Care – Security/Privacy of records Physical Access Control – Government/Office buildings Time & Attendance Computer Security – Personal Access, Network Access, Internet, E-Commerce Telecommunications – Mobile Phones, Call Center Technology Law Enforcement – Criminal Investigation National Security Education/Schools http://ezinearticles.com/?biometrics Viewed March 17, 2007 72 Applications Using Smart Cards Payment Systems Mobile Phones Physical/logical access control Secure ID Public Transit Pay TV Voting Systems Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 PP. 34-36. Center For Multimedia Education and Application Development. Mulimedia University. www.cmead.mmu.edu. 2005. 73 Security Breaches 74 Security Breaches - Biometrics Hard to bypass biometric security measures because they are based on physical traits that are unique to individuals Mythbusters Video http://youtube.com/watch?v=ZncdgwjQxm0 Viewed March 17, 2007 75 Security Breaches – Smart Cards Dissection of the Card’s Components Hackers can simply remove the MCU's passivation layer and use a microscope to explore the chip or use a focused ion-beam (FIB) system to tamper with it Titus, Jon. “For Smart Cards, Security is the Key”. ECN Magazine. June 2006. pp 27-28. 76 Security Breaches – Smart Cards Differential Power Analysis An attack that observes a device’s power consumption which is highly linked to which computational power is being used, it distinguishes nonvolatile memory programming, and identifies cryptographic routines as they execute. Video Tearings (Logic Errors and Power Disruptions) These problems can reveal secrets, allowing hackers to get defective computations to execute which then helps “crack the code” Warren, Karen. “Smart Cards Under attack- Literally”. Security: For Buyers of Products. March 2006. Volume 43 Issue 3 PP. 34-36. Messerges, T.S, E.A. Dabbish, R.H. Sloan, “Examining Smart Card Security Under the Threat of Power Analysis Attacks”. IEE Transaction on Computers. May 2002. 77 "As the microprocessors in smart cards get more complicated and the amount of code increases, the chance of bugs increases substantially," -Paul Krocker, President of Cryptography Research 78 Cost Considerations of Implementation 79 Cost Considerations - Biometrics Hardware and Software Database updating Installation Connection/User system integration System Maintenance Staff Training Identification collection and information maintenance http://webhost.bridgew.edu/jcolby/it525/cost.html Viewed March 17, 2007 80 Cost Savings That’s Savings of more than $2 million for every 2,000 employees!!!!!!!!!! “Smart Cards, Smart ROI”. Security Magazine. January 2006. pp 24-26. 81 Companies Using Smart Cards U.S. Pentagon 3.1 million DOD personnel use common access cards; Cards are used to log onto computers and add digital signatures to documents. Boeing Company 200,000 employees, contractors, and partners received multifunction smart cards that primarily provide access to information systems and buildings. Still in 5 year implementation period that started in 2004. The Queens Health Network 14,000 cards have been issued. Cards contain patient’s photo ID, name, address, emergency contact, allergies, current medications, and recent lab results. Carlson, Caren. “Are You Who You Say You Are?”. Eweek. April 17, 2006. 82 Best Practices 83 Best Practices – IT Security Develop IT security policy and procedures Assess security standards and compliance with these standards Analyze threats and find ways to mitigate risks Monitor IT security and efficiently operate a security-enhanced system http://www.microsoft.com/technet/itshowcase/content/securitywebapps.mspx, viewed April 6, 2007 84 Best Practices – IT Security http://www.microsoft.com/technet/itshowcase/content/securitywebapps.mspx, viewed April 6, 2007 85 Best Practices – Doe Run The first task of the newly created CSO position was to create a security policy and procedures manual. The CSO continually monitors compliance with the security policy manual and updates accordingly. CSO performs security assessments to identify new threats and then develops procedures to protect IT assets and information CSO continually monitors systems to ensure they are operating efficiently 86 Best Practices – Smart Cards Consider all media on which the info is stored and transmitted, not just the info on the card Transmit Only Encrypted Info Remove all info captured by ID card reader as soon as the transaction is complete Use checklists for individual data fields to determine what rights each authorized group has Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30 87 Best Practices – Smart Cards Maximize offline portion of transactions, while minimizing online access Allow cardholders to authorize card content extraction with a password, PIN, and/or biometrics for all transactions Construct Applications so transaction records cannot be used as surveillance tools Boyd, Laura, Patricia D’Costa, and Mansour Karimzadeh. “Privacy and Security Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology”. Smart Card Alliance White Pater.. Feb 2003. pp2-30 88 Recap IT security challenges are continually increasing. Security standards evolving and adapting to meet new IT security challenges. New and innovative security procedures: Smart Cards Biometrics 89 90