CertAnon Anonymous WAN Authentication Service Approval Presentation

advertisement
CertAnon
Anonymous WAN Authentication
Service
Approval Presentation
Red Group
CS410
May 1, 2007
Our Team
May 1, 2007
Red Group
2
Presentation Outline
•
•
•
•
•
•
•
•
•
Problem Description
Solution Description
Process Description
Solution Characteristics
Marketing Plan, ROI
Management Plan
Milestones, Deliverables, Budgets
Risk Management
Conclusion
May 1, 2007
Red Group
3
Who is Chockalingam Ramanathan?
• Part of a group using stolen passwords
to empty investors’ accounts1
• Hit prominent brokers such as TD
Ameritrade, E*Trade, and Charles
Schwab
• Resulted in more than $2 million in
losses, which were absorbed by the
brokers
• Fourth tech-intrusion case filed by the
SEC since December 2006
1. http://www.washingtonpost.com/wp-dyn/content/article/2007/03/12/AR2007031201558.html
May 1, 2007
Red Group
4
Fraud Stats
• From 2005 – 20062
– 8.9 million victims of online fraud or identity
theft
– Total losses to identity theft and online
fraud jumped from $54.4 billion to $56.6
billion
– Mean resolution time per incident
skyrocketed from 28 to 40 hours per victim
2. http://www.verisignsecured.com/content/Default.aspx?edu_stats_body.html
May 1, 2007
Red Group
5
Going Phishing
• Phishing sites are on the rise3
• Over 7 million phishing attempts per day
3. Anti-Phishing Working Group - http://www.antiphishing.org/
May 1, 2007
Red Group
6
Consumers’ Online Activities
%
70
Bank online
60
50
Make travel
reservations
40
30
Communication
20
10
Commerce
0
% of Internet
Users
% Time spent
online
4. Clickz.com - http://www.clickz.com/showPage.html?page=3481976#table
5. Clickz.com - http://www.clickz.com/img/Share_of_Time.html
May 1, 2007
Red Group
7
Password Overload
%
35
30
Have 6-15
passwords
25
20
15
10
Have over 15
passwords
5
0
% of Surveyed Professionals
6. RSA Security Password Management Survey http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pdf
May 1, 2007
Red Group
8
The Problem
• Single-factor password authentication is
easily compromised and endangers the
security of online accounts.
– Username/Password paradigm is insecure7
– Management of multiple strong passwords
is difficult for individuals
– Fraudulent online account access and
associated costs are increasing
7. http://www.schneier.com/crypto-gram-0503.html#2
May 1, 2007
Red Group
9
The Endangered Password
• More online accounts = more passwords
• Complexity of passwords is limited by the
human factor8
• Vulnerability is enhanced by the technology
factor
• Dissemination is too easy
• Once compromised, a password is no
longer effective for authentication
8. http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
May 1, 2007
Red Group
10
CertAnon – A New Proposal
• Anonymous WAN authentication service
– Used for any and all online accounts
– Strong two-factor authentication
– Limited information sharing
• Partner with online businesses
• Initial customers are Internet users
May 1, 2007
Red Group
11
Two-Factor Authentication9
• Something you know
– A single PIN
• Plus something you have
– Hardware token generating pseudorandom numbers
• Effectively changes your password
every 60 seconds
9. RSA - http://www.rsasecurity.com/node.asp?id=1156
May 1, 2007
Red Group
12
RSA SecurID Users
May 1, 2007
Red Group
13
Two-Factor Acceptance
• Rolls Royce & Bentley Motor Cars
– Uses RSA SecurID authentication
– Enables them to use the Internet securely as a cost-effective
and efficient extension to their corporate network
• E*Trade Financial
– Provides retail customers the option to add Digital Security
ID to their Internet security solution
– Helps guard against unauthorized account access
May 1, 2007
Red Group
14
Reaching the Goal
• Build a WAN authentication service that
permits customers to securely access
all of their online accounts using a
single access method
– Build our website
– Write software modules for partner sites
– Develop testing portal
– Install authentication servers
– Distribute tokens
– Beta-testing, then go live!
May 1, 2007
Red Group
15
What Would It Look Like?
May 1, 2007
Red Group
16
4. Bob goes to E*Trade's website to sign in.
Username: TraderBob
His E*Trade username
is TraderBob, so he
types that as usual.
Password: 1a2b3c234836
He looks at the code
on his token display.
He types his PIN and
that token code in the
Password field.
5. And now he's in his E*Trade account!
6. One minute later, he jumps to the Yahoo!
mail page to check e-mail.
Username: SpamBob
His Yahoo! username
is SpamBob, so he
types that as usual.
Password: 1a2b3c184675
7. And now he's in his Yahoo! account!
May 1, 2007
Red Group
He looks at the code
on his token display.
He types his PIN and
that token code in the
Password field.
17
Who is Our Customer?
• Two sales channels
• Individual Internet user (211 million of them!)10
– Purchases CertAnon token for one-time fee of $50
– Obtaining a critical mass of customers makes
CertAnon a must have for online vendors
– Could provide leverage to charge vendors on a
transaction basis in the future
• Security-conscious businesses
– Purchase batches of tokens for redistribution to
their customers
– Focus on those without proprietary solutions
10. Internet World Stats - http://www.internetworldstats.com/stats2.htm
May 1, 2007
Red Group
18
Marketing Strategy
• Offer software modules for customer integration
– Freely available to encourage adoption of the service
• Approach financial companies not already using a
two-factor authentication method
– Bulk token sales
– Enable them to offer the same customer security as larger
competitors without the infrastructure expense
– Token reusability will encourage faster customer adoption
• Advertising strategies
– Internet advertising
– Computer shows/trade shows
– Promotional token giveaways
May 1, 2007
Red Group
19
TBDROI
RU for
Marketing
Consumers
Strategy
• Reduce/eliminate need for multiple
passwords
• Avoid password theft, unauthorized
account access, and fraud
• Information isn’t stored on a card or
device that can be lost
• Full passcodes not stored in a hackable
database that is a single point of failure
May 1, 2007
Red Group
20
ROI for Businesses
• Very low cost
• Avoid implementing a costly proprietary
solution
• Improves security of customer base by
moving more people away from passwords
• Reduces losses from fraud reimbursement
• Snaps into existing infrastructure with minimal
development
• Customers who don't use CertAnon will be
unaffected
May 1, 2007
Red Group
21
Cons
• Reliance on a physical token
– Forgotten
– Broken
– Lost or stolen
• Inadequate for sight-impaired users
• Customer service coordination will need
to be handled carefully
May 1, 2007
Red Group
22
Competition Matrix
May 1, 2007
Red Group
23
Management Plan
May 1, 2007
Red Group
24
Team Communications
• Team meetings (via AOL AIM):
– Sunday/Tuesday 8:00 P.M.
– Additional meetings as needed
– Meetings with Professor Brunelle as
needed
– Meetings with Technical Advisors as
needed
• Google Group for document
management and messaging
May 1, 2007
Red Group
25
Phase 0 Gantt Chart
May 1, 2007
Red Group
26
Phase 1 Gantt Chart
May 1, 2007
Red Group
27
Phase 1 Major Components
Data
Account setup
Workstation
Auth Server Update
CertAnon website
Test user on workstation
with token simulation software
Login attempt
Login response
Data
Auth request
Workstation running
simulated
authentication manager
software
Auth response
Simulated Partner Web Site
May 1, 2007
Red Group
28
Phase 1 Development WBS
May 1, 2007
Red Group
29
Phase 1 Organizational Chart
May 1, 2007
Red Group
30
Phase 1 Staffing Budget
Position
Documentation Specialist
Financial Director
Hardware Manager
Project Manager
Risk Director
Software Manager
Web Developer
May 1, 2007
Type Quantity Hours
Student
1
30
Student
1
24
Student
1
92
Student
1
64
Student
1
52
Student
1
500
Student
1
486
Rate
$
15
$
15
$
15
$
15
$
15
$
15
$
15
Total Cost
40% Overhead
Total Phase 1 Staffing Budget
Red Group
$
$
$
$
$
$
$
$
$
$
Total
452
362
1,377
960
785
7,497
7,292
18,723
7,489
26,212
31
Phase 1 Resource Budget
Description
Quantity
Cost
Dell Servers
-Web site & DB hosting
4
$11,632
Dell Workstations
-Dedicated PC’s for team use
5
$6,990
MySQL
-Web site back end database
--
$0
PHP
-Web sites and plug-in modules
--
$0
1
Total Cost:
$0
$18,622
40% Overhead:
$7,449
Total Phase 1 Resource Cost:
$26,071
Website
-Hosting by ODU
May 1, 2007
Red Group
32
Phase 2 Gantt Chart
May 1, 2007
Red Group
33
Phase 2 Organizational Chart
May 1, 2007
Red Group
34
Phase 2 Staffing Budget
Position
Documentation Specialist
Financial Director
Hardware Manager
HR Manager
Project Manager
QA Engineer
Risk Director
Software Engineer 1
Software Manager
Technical Director
Web Developer
May 1, 2007
Type
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Quantity Hours
1
552
1
94
1
200
1
172
1
136
1
774
1
8
1
440
1
334
1
136
1
790
Rate
$
18
$
68
$
20
$
29
$
29
$
21
$
18
$
22
$
42
$
50
$
28
Total Cost
40% Overhead
Total Phase 2 Staffing Budget
Red Group
$
$
$
$
$
$
$
$
$
$
$
$
$
$
Total
9,713
6,372
3,901
5,053
3,883
16,009
140
9,718
13,961
6,835
22,143
97,728
39,091
136,819
35
Phase 2 Resource Budget
Description
Quantity
Cost
RSA Authentication Manager Server License
4
$12,000
Dell Servers
-Running RSA Authentication Mgr software
4
$11,632
Dell Workstations
-PC’s for additional staff
4
$5,592
RSA Training
--
$1,600
Visual Studio Professional 2005
-Used for additional plug-in development
RSA Tokens
2
$1,338
10
Total Cost:
$500
$32,622
40 % Overhead:
$13,065
Total Phase 2 Resource Cost:
$45,687
May 1, 2007
Red Group
36
Phase 3 Gantt Chart
May 1, 2007
Red Group
37
Phase 3 Organizational Chart
May 1, 2007
Red Group
38
Phase 3 Staffing Budget
Position
Customer Service Reps
Documentation Specialist
Financial Director
Hardware Manager
HR Manager
Marketing Director
Project Manager
QA Engineer
Sales Representative
Software Engineer 1
Software Manager
Technical Director
Web Developer
May 1, 2007
Type
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Staff
Quantity Hours
5
2,080
1
440
1
278
1
200
1
528
1
1,161
1
1,391
1
350
3
2,080
1
320
1
345
1
1,280
1
320
Salary
$ 30,400
$ 36,600
$140,500
$ 40,600
$ 61,100
$ 99,900
$ 59,600
$ 43,000
$ 40,488
$ 45,900
$ 87,000
$104,400
$ 58,300
Total Cost
40% Overhead
Total Phase 3 Staffing Budget
Red Group
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
Total
152,000
7,742
18,778
3,899
15,510
55,763
39,866
7,233
121,464
7,062
14,443
64,268
8,969
516,997
206,799
723,796
39
Phase 3 Resource Budget
Description
Quantity
Cost
Secure Server Hosting
-Hosting authentication servers remotely
--
$48,000
Dell Workstations
-PC’s for additional staff
9
$12,582
2
Total Cost:
$5,816
$66,398
40% Overhead
$26,560
Total Phase 3 Resource Cost:
$92,958
Dell Servers
-Web site database servers with RAID arrays
May 1, 2007
Red Group
40
Total Project Cost
Phase 1
Phase 2
Phase 3 (One Year)
Total Phases 1-3
$
$
$
$
Staffing
26,212
136,819
723,796
886,827
Out Years (Annual)
$
629,776
$
$
$
$
Resources
26,071
45,687
92,958
164,716
$
$
$
$
Phase Total
52,283
182,506
816,754
1,051,543
$
67,200
$
696,976
Item
Marginal Cost Per # of Customers
Token
$
30
1
Authentication Server
$
2,908
250,000
RSA Auth Mgr License
$
3,000
250,000
Secure Hosting (3 Years) $
36,000
250,000
Total Cost
40% Overhead
Total Marginal Cost Per Customer
Marginal Revenue Per Customer
Profit Per Customer
May 1, 2007
Red Group
Cost per Customer
$
30.00
$
0.01
$
0.01
$
0.14
$
30.17
$
12.07
$
42.23
$
50.00
$
7.77
41
Break Even Analysis
Revenue
Cumulative Break Even Analysis
(Year 0 = Phase 3)
Total Revenue
Total Cost
$60,000,000
$50,000,000
$40,000,000
$30,000,000
$20,000,000
$10,000,000
$-
0
1
2
3
Year
Year Tokens Sold
0
1
150,000
2
500,000
3
1,000,000
May 1, 2007
Total Revenue
$
$ 7,500,000
$ 25,000,000
$ 50,000,000
Red Group
Total Cost
$
816,754
$ 7,848,933
$ 23,328,049
$ 45,142,368
Profit
$ (816,754)
$ (348,933)
$ 1,671,951
$ 4,857,632
42
Funding Plan
• SBIR Funding Agency: National Science
Foundation
– Phase 1: $100,000 max, $52k planned
– Phase 2: $750,000 or two years, $183k
planned
• Phase 3
– Venture capital investment
– Small business loan
– Revenue from token sales
May 1, 2007
Red Group
43
Risk Management Plan
• Identify project risks
• Determine the phase that the risk is in
• Categorize risks according to probability
and impact
• Reduce risks before or as they happen
with mitigation actions
• Continue to reevaluate risks during all
phases
• Watch for new risks
May 1, 2007
Red Group
44
Risks and Mitigation
#
5
I
m
p
a
c
t
5
2
6
2
3
7
4
1
1
2
3
4
Probability
(1-Low to 5-High)
May 1, 2007
Mitigation
1 Trust
Beta-testing
2 Customer
understanding
Tutorials on website
3 Reliance on token
sales revenue
Encourage early partner
site adoption
4 Viable alternatives
Single source two-factor
5 Token loss
Provide temporary
password access
6 Token availability
Offer online and through
retail outlets
7 Government vs.
Anonymity
Follow the lead of
encryption products
1
4
3
Risk
5
Red Group
45
Evaluation Plan
• Time
– Measured against baseline project plan
• Cost
– Measured against budget plan by phase
• Scope
– Measured against requirement document
• Quality
– Measured by customer adoption rate and
satisfaction
May 1, 2007
Red Group
46
Evaluation Phases
• Phase 0
• Phase 1
– Idea developed
– Project website developed
– Funding secured
• Phase 2
– Prototype design
– Working prototype
– Initial customer
demonstration
• Phase 3
–
–
–
–
–
– Product design
– Software module
development
– Software module testing
– Integration testing
– Finished product
May 1, 2007
Red Group
First sale completed
Product released
Marketing plan developed
Successful marketing
New contracts acquired
47
Conclusion
• Available, affordable, and proven
technology
• Targets a large and growing market
• Benefits consumers and online
businesses
• Scaleable service
• Manageable project scope, achievable
milestones
May 1, 2007
Red Group
48
References
•
•
•
•
•
“3 Indicted in Online Brokerage Hacking Scheme.” Washington Post.
13 Mar. 2007. Carrie Johnson. 2 Apr. 2007
<http://www.washingtonpost.com/wpdyn/content/article/2007/03/12/AR2007031201558.html>.
“Internet Penetration and Impact.” Pew/Internet. April 2006. Pew
Internet & American Life Project. 28 Jan. 2007
<http://www.pewinternet.org/pdfs/PIP_Internet_Impact.pdf>.
“Internet Statistics Compendium - Sample.” E-consultancy.com. 9 Jan.
2007. E-consultancy.com LTD. 28 Jan. 2007 <http://www.econsultancy.com/publications/download/91130/internet-statscompendium/internet-stats-compendium-January-2007-SAMPLE.doc>.
“Internet World Stats.” Internet World Stats. 10 Mar. 2007. Internet
World Stats. 22 Apr. 2007
<http://www.internetworldstats.com/stats2.htm >.
“Online Banking Increased 47% since 2002.” ClickZ Stats. 9 Feb.
2007. The ClickZ Network. 15 Feb. 2007
<http://www.clickz.com/showPage.html?page=3481976#table>.
May 1, 2007
Red Group
49
References (cont.)
•
•
•
•
•
“Phishing Activity Trends: Report for the Month of November, 2006.”
Anti-Phishing Working Group. Nov. 2006. Anti-Phishing Working
Group. 28 Jan. 2007
<http://www.antiphishing.org/reports/apwg_report_november_2006.pdf
>.
“Real-World Passwords.” Schneier on Security. 14 Dec. 2006. Bruce
Schneier. 28 Jan. 2007
<http://www.schneier.com/blog/archives/2006/12/realworld_passw.html
>.
“RSA SecurID Authentication.” RSA Security. 2007. RSA Security, Inc.
28 Jan. 2007 <http://www.rsasecurity.com/node.asp?id=1156>.
“RSA Security Password Management Survey.” RSA Security. Sep.
2006. Wikipedia. 15 Feb. 2007
<http://www.rsa.com/products/SOM/whitepapers/PASSW_WP_0906.pd
f >.
“Share of Time Spent Online.” ClickZ Stats. 27 Feb. 2007. The ClickZ
Network. 28 Feb. 2007
<http://www.clickz.com/img/Share_of_Time.html>.
May 1, 2007
Red Group
50
Appendix
•
•
•
•
•
•
•
•
•
•
•
•
Abstract
SBIR Document
Management Plan
Evaluation Plan
Resource Plan
Marketing Plan
Funding Plan
Staffing Plan
Risk Management Plan
Hardware Specifications
Work Breakdown Structure
Additional Diagrams
May 1, 2007
Red Group
51
Download