Information Security

966 views

Published on

Distributed in Washington Post, June 22, 2009

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
966
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Information Security

  1. 1. JUNE 2009 INFORMATION SECURITY Volume II
  2. 2. INFORMATION SECURITY Combating Cybercrime CONTENTS in an Information-Driven World Not only has information technology revolutionized the way Technology providers, too, are working ag- Cyber Wars Fought on New Battlefields 4 gressively to deliver better protection. we live, work, and play, it has also changed the way crimes New Education in Virtual World for Kids 4 Through increasingly sophisticated yet easy- may be committed. The same digital infrastructure that we Controlling Access While Controlling Cost 4 to-use products and services that safeguard Dynamic Risks Demand Vigilance 5 rely upon has also given rise to a thriving underground consumers and businesses against evolving 2009 Gartner Information Security Summit 6 economy that is mature, professional, efficient, and profitable. internal and external cyber threats, regard- less of the computing device they are using I Memorial Hospital: Smart Card Optimization 6 n this clandestine marketplace, cyber- Preventative Medicine for your Network 6 criminals from around the globe buy, and the network they are on, Internet users ‘Smart’ Solution for Health Care IT 7 sell, and trade millions of dollars worth have a powerful ally in the fight against cy- MRC: Increasing e-Commerce Profitability 7 of stolen goods as well as services and tools bercrime. And new platforms and methods Southwest Airlines Cuts Fraud 50% 7 designed to facilitate online theft and fraud. for securely storing and using data are con- For example, some cybercriminals might tinually emerging, while next-generation in- The Fight Against Online Fraud 7 choose to advertise or buy stolen identities, formation management frameworks now Ask the Information Security Experts 8 credit card information, or bank account make it easier for organizations to enforce Publisher: Max Friend data. They even offer discounts for bulk pur- compliance with the many industry and gov- chases. Others might provide services, such ernment standards designed to protect them. max.friend@mediaplanet.com as cashing out financial accounts to un- The naming of a cyber security czar by traceable locations online in just minutes. Enrique Salem, President and CEO, U.S. President Barack Obama will go a long Editorial Contributor: David Duffy Still others might sell malicious tools, in- Symantec way in facilitating the coordination of a Design: Jez MacBean cluding botnets, vulnerability scanners, and public/private partnership by fostering Printer: Washington Post vulnerability exploit kits. This commerce steal an identity or to help them launch greater information sharing between pri- Photos: ©iStockphoto.com creates income-generating opportunities additional attacks. vate business and government agencies in throughout the supply-and-demand chain The success of the cyber underworld the U.S. The designation of a cyber security MediaPlanet is the leading publisher of the underground economy and ultimately hinges on the collaboration and coopera- coordinator, together with the proposed in providing high quality and increases the risk to the global economy. tion of individual cybercriminals as well as near-term action plan aimed at supporting in-depth analysis on topical industry and market issues, in print, online Regardless of their role in the under- crime syndicates operating from virtually U.S. cyber security policy, will help focus ef- and broadcast. ground economy, cybercriminals are after anywhere an Internet connection can be forts by the federal government to invest the same thing: end-user data, from full found. And, as more and more countries more resources into cyber security research For more information about identities complete with name, address, extend their broadband infrastructures, cy- and development projects shared by a pub- supplements in the daily press, please and Social Security number, to email ad- bercriminals will gain an even larger pool lic/private partnership. Moreover, the ap- contact Kayvan Salmanpour on dresses and passwords, banking creden- of potential victims and business partners. pointment of a cyber security policy official +1 646 922 1400 tials, and credit card numbers with CVV2 The most effective defense against cy- will lend the weight of the White House to- kayvan.salmanpour@mediaplanet.com wards more cooperation among business details. In 2008 an astonishing 78 percent bercrime will require the combined efforts of threats to confidential information ex- of individual users as well as businesses, and law enforcement to address cybercrime This section was written by ported user data, according to the latest government agencies, and schools and uni- on an international scale. MediaPlanet and did not involve volume of the Symantec Internet Security versities. Thanks in part to many public/pri- As individuals and organizations in the pub- The Washington Post News or Editorial Departments. Threat Report (ISTR), which provides an vate partnerships such as the National lic and private sectors work together to fight annual overview and analysis of world- Cyber Security Alliance (NCSA) and Internet cybercrime and are supported by government wide Internet threat activity and a review Keep Safe Coalition, tips for safely navigat- leaders around the world, the global online www.mediaplanet.com of the Internet threat environment. This ing cyberspace are available from the con- community can confidently maximize the op- data could be used by cybercriminals to venience of virtually any browser. portunities and benefits the Internet provides.
  3. 3. INFORMATION SECURITY dispute with Russia in 2007. These attacks Cyber Wars Fought on New Battlefields are increasingly large and intelligent by de- sign, global in nature, and generally difficult From the gateway to the cloud, it’s all about knowing your enemy to trace back to the source of the attacker(s). The problem, in a nutshell, says Sop, is that it's “many against one. These days, any moti- f there was any doubt left, the news I control system is vulnerable to cyber at- Trusted Internet Connections (TIC) program him – or let him in and gather intelligence vated attacker can download botnet building that the White House is naming a tacks. Then, of course, there was Georgia. is reducing the federal government’s con- about who he is and what he wants.” programs from the Internet. A person with the “cyber czar” and the Pentagon is creat- “That was the wake-up call, if we needed nections, or access points, to the Internet It’s also possible to see what he takes right skills can easily assemble a botnet of ing a new military cyber command should one,” says Darrell Covell, founder and chief from the more than 4,300 in January 2008 with him when he leaves and track where 10,000 or 20,000 computers in a day, and have dispelled it. We are living in the age technology officer of Rsignia, Inc., a net- to fewer than 100. “You just can’t secure he goes. That kind of intelligence is a big these botnets can’t be disabled fast enough. of cyber warfare. work security and protection company ac- that many gateways,” says Gary Woods, part of being prepared and ultimately win- Ultimately the best strategy is to develop a Consider the following: cyber attacks tive in cyber defense. “Russian cyber gangs Rsignia’s director of federal sales for engi- ning a cyber war. As Covell puts it, “Once capability to defend against these DDoS at- forced the FBI and the U.S. Marshals to shut down that country’s entire infrastruc- neered solutions. But with a manageable you find a snake in the grass, why wouldn’t tacks.” Prolexic’s solution engages the enemy shut down part of their computer net- ture. It’s the current case study for cyber number of access points, applications like you want to see what he’s up to?” “in the cloud,” close to the attacker, and takes works last month. In May, the Wall Street warfare capabilities.” ones developed by Rsignia can screen Cyber attacks come in many forms, and advantage of Internet routing protocols to di- Journal reported the Defense Department The United States has significant cyber prospective entrants, including those using attackers have a wide range of motives – po- vert all the traffic headed for a particular site detected 360 million attempts to break warfare capabilities – both defensive and “spoofed” Internet protocol (IP) addresses litical, financial, philosophical, organizational, to globally-distributed scrubbing centers that into its network in 2008 (compared with offensive – and companies like Rsignia are to disguise their true identities. “When the etc., and some are just plain ticked off. Today, act as “black holes,” where malicious attack six million in 2006). Cyber crooks have working with government departments and UPS man shows up at your door, maybe he’s just about any business is a potential target. traffic is inspected, filtered, separated from penetrated both the U.S. electricity grid agencies to improve current cyber defenses for real, and maybe he’s someone else en- According to Paul Sop, Chief Technology Of- good traffic and blocked - all in real-time. and the Pentagon’s biggest weapon pro- and develop new resources. One critical tirely,” Woods says. “We can strip off the ficer at Prolexic Technologies, a firm special- “Prolexic technology makes it seem like gram. The Department of Transportation’s area, of course, is controlling access. The uniform and look deeper into the protocols izing in network protection services, the most your web site is global and massive -- im- inspector general says the U.S. air traffic Office of Management and Budget’s to decide whether to let the guy in, block debilitating form of cyber attack is the dis- possible to take down,” Sop says. “Then we tributed denial of service (DDoS) attack, in have experts who use some pretty incredi- which thousands of hijacked PCs are assem- ble technology to prove the requests are bled into a “botnet” and can be used to bom- from real people, not botnets. We're fight- bard the target with Internet traffic to the ing the attackers and the attacks they point where legitimate visitors can’t get launch. This game is as much about psy- through. DDoS attacks were used against chology as it is technology. Attackers are Georgia last year, and they effectively took always at work inventing new strategies. the Baltic nation of Estonia off line during a It's our job to stay ahead of them." Controlling Access While Controlling Cost New Education in Virtual World for Kids New app is easy for users and an OMNIKEY® reader, is an example. The challenge was providing companies C hildren today grow up in a world where online activities can materially compromise the security of home and too – a key criterion school computers. For many users, computer security is an unwelcome necessity, and when security measures “two-factor” user authentication capa- are finally in place, the last thing the semi-savvy user needs is a child pushing the limits of connectedness. Human nature being what it is, network bility (access card and PIN) for desktop Many parents and educators are unprepared to help children navigate online security hazards. More than 60% of edu- security often has as much to do with and laptop computers, without issuing cators do not know how to teach students about detecting and minimizing viruses (NCSA 2008). “Children need early se- ease-of-use as it does with passwords and new “smart cards” to every employee. curity training,” says iKeepSafe president, Marsali Hancock. “Illegal downloading of music and games begins in fourth protocols. With the economy in its current The answer lay in enabling existing HID grade; cyber-bullying in second [RIT 2008]. Nothing will un-do a parent's best security efforts like a kid trying to illegally state, not adding cost helps too. “We bring access control credentials – some 300 mil- download a game or song. “ higher levels of security to the organiza- lion have been issued worldwide – to log onto With these trends, parents and educators are turning to the next generation in social networking where kids learn essen- tion and convenience to the end user,” says Microsoft Windows. The naviGO application tials of cyber-security and ethics in their favorite setting—a virtual world. WoogiWorld, identified by Parents Magazine as one Dan DeBlasio, director of business devel- allows badge-holders to manage their en- of the top five next generation sites for kids, has educators and kids alike flocking to this new approach to education. opment, Identity and Access Management rollment and establish PINs, and provides for WoogiWorld CEO Scott Dow tells parents and educators, "WoogiWorld is much more than fun and games; students learn (IAM) for the Americas, at HID Global, the access through knowledge-based authenti- core academic subjects, health, nutrition, music and art. Our unique approach succeeds through a crossover of online and of- trusted worldwide leader in providing so- cation when cards are lost or forgotten. fline activities. 'Woogies’ earn ‘Watts' [the currency of this virtual world] by completing important tasks in the real world." lutions for the delivery of secure identity. “A risk-appropriate solution,” De- Children learn to balance screen-time with real life, to be active in their communities and helpful at home. The launch in March of HID on the Blasio says. “The infrastructure was For more information, go to: www.ikeepsafe.org/woogiworld Desktop™, which includes the new nav- there, and we weren’t adding a large iGO™software, an HID technology card amount of burden.”
  4. 4. INFORMATION SECURITY Dynamic Risks Demand Vigilance that Goes Beyond Compliance As threats to information grow, more as do the malicious attacks they complex problems. We’ve lived in a bi- end up in court, and that means the in- launch. According to Butterworth, op- nary world so we know what it looks like vestigation can’t contaminate the evi- comprehensive solutions are warranted erating systems won’t always recog- – or should look like. We’ve designed our dence. We don’t change anything. We nize that someone has inserted a new applications to recognize things an op- maintain a sound environment.” I f your company has a computer of confidential information threats in network, you don’t just have a se- 2008 exported user data. A February piece of malicious software. One cur- erating system maybe won’t.” curity risk. You have a dynamic se- 2009 Symantec white paper on “Web rent hacker favorite is the malware About thirty percent of Guidance curity risk, that is, one that changes Based Attacks” found that just about that enables the so-called “drive-by Software clients are government de- and evolves every hour of every day as any Web site today can be compro- download.” It sits on a Web site the at- partments and agencies, such as the the network itself changes with new mised by cyber crooks. tackers have compromised and looks Departments of Defense, State and Jus- users, new visitors, new applications “Too often we tend to think in terms for vulnerabilities on visiting comput- tice, and the SEC. One factor companies and new information, and the makeup of ‘information security,’ which is a ers. When it finds one, it deposits more looking to enhance network security of the Internet itself evolves, at a mas- compliance driven posture, as in, I’ve malware designed to steal the visitor’s should bear in mind – the need to pro- sive rate of speed and complexity. done everything required to make my personal information. The visitor does- tect evidence in a forensically sound According to the most recent Inter- information secure,” says Jim Butter- n’t have to do a thing to launch the at- manner. In addition to its EnCase Cy- net Security Threat Report by Syman- worth, senior director of cybersecurity tack, and without vigilant monitoring, bersecurity software solution, the com- tec, the number of new malicious code for Guidance Software, a provider of the owner of the web site will not be pany’s professional services organiza- signatures on the Internet increased cybersecurity, eDiscovery and other dig- aware anything is amiss. tion assists with digital investigations. 265 percent in 2008 to more than 1.65 ital investigation solutions. “We should As Butterworth puts it, “At the outset, million. As the attacks and attackers think in terms of ‘cybersecurity,’ which GUIDANCE SOFTWARE we don’t know whether we ultimately both become more complex and so- means monitoring the operations con- This is where companies like Guidance will be looking to assist in the termina- phisticated, their most common goal ducted on your network 24/7/365.” Software can help. “We have over a tion of an employee, litigation against a Jim Butterworth, Senior Director remains constant – financial gain. The It’s a fact of Internet life that the decade of experience in digital foren- competitor, or the incarceration of a of Cyber Security, Guidance Symantec report found that 78 percent bad guys keep getting more insidious, sics,” says Butterworth. “We’re used to criminal. We do know we’re likely to Software, Inc.
  5. 5. INFORMATION SECURITY Smart Cards 2009 Gartner Security Summit Focuses Optimize Info at Memorial on Network and Career Security Hospital in NH excited by our outside keynote speaker, he Memorial Hospital in North Information security needs are growing faster than ever as challenges and solutions become more complex. David Sanger of the New York Times, who’s just published a thought-provok- ing book that’s already climbing the T Conway, New Hampshire, had a problem, one common in the health care industry. It was running best-seller charts on the challenges fac- four different databases of patient t the same time, the economy vacy protection tools and emerging ing the new administration in cyber information, and of course, none of A is applying the heaviest budg- etary pressure in decades. The 2009 Gartner Information Security trends and new federal initiatives re- garding cyberspace.” Dawkins recently offered some ad- space. We’ll also have a keynote panel on national cyber security strategy at a time when the president and the secre- them talked to each other. Wherever patients went, they had to re-regis- ter. They got annoyed. Hospital staff got less than perfect information. Summit, June 28-July 1 in Washing- vance insights on what else to expect at tary of defense have put this issue front The error count crept up. Billing and ton D.C., focuses on the IT security the 2009 Summit. and center on the national agenda. payments slowed down. Just about professional and how they can opti- every operation was affected. mize their value while enhancing Q. Who should attend? Q. What about some of the smaller The available solutions, short of their skills and knowledge to better sessions? starting over, were few, expensive, protect their organization in tough A. Anyone with an interest in enter- and complicated. Until Memorial encountered the LifeMed smart economic times. prise-wide security and critical infra- Alwyn Dawkins, Senior Vice President, A. We’re seeing a lot of interest in cloud card. “We found we could overlay structure protection. CIOs, CSOs, Gartner Events computing and government security issues, the smart card system, and it would ANALYSTS CISOs and CTOs, of course. But also managing costs and maximizing value, and talk to all four existing databases,” “Our team of analysts, led by confer- other IT executives, network man- Q. Tell us a little about the overall a case study on the costs and cures of data says Lawrence Carbonaro, director ence chairs, Vic Wheatman, Chris agers, risk managers, and auditors. agenda. breaches with the CEO of Heartland Pay- of patient access. “Patients would Byrnes and John Pescatore, will con- Because of the pervasiveness of the ment Systems. There are also 16 ana- register once, we’d have an audit centrate on the tools, technologies Internet in business today, just about A. There are more than 100 sessions on lyst/user roundtables, with 12 to 15 partic- trail for their information, and en- and management practices that are any senior executive will find value. an incredible range of topics, all geared ipants, allowing for give and take with those cryption and two-part authoriza- needed to run a security operation Since we’re in Washington, we in- toward protecting your IT infrastructure, who share an interest in a particular topic. tion provided the security.” Memorial spent about a year in- that’s efficient, safe and economical,” cluded a special segment for people keeping your business secure, and man- Attendees are eligible for CPE credits stalling the system. It set goals – said Alwyn Dawkins, senior vice presi- working in the public sector and a aging your career in a time when it will (ISC2/CISSP and ISACA). Incentive pric- among them, improve the quality of dent, events, at Gartner, Inc. “The pro- suggested agenda for government at- clearly be affected by both technology ing available. More information at data, reduce the error date from 7 gram includes privacy policies and pri- tendees. trends and economic dynamics. We’re www.gartner.com/us/itsecurity to 2 percent, and shorten reim- bursement to fewer than 50 days. The new system went live April 1. So far, 4,000 cards have been issued to Practicing Preventative errors or something else, related to spe- cific IP addresses. “We can scan 10 ma- the hospital’s potential patient uni- chines or 100,000 – daily,” Austin says. verse of 20,000-25,000. “Patients love it,” Carbonaro The software identifies vulnerabilities and Medicine for your Network any exploits that have occurred. It will suggest repairs or restoration. It can also conduct penetration testing, that is, says. “They register once, they swipe the card and they’re good to go.” The error rate on smart card- enabled accounts is already below onsider a CAT scan for your com- ability assessment and penetration testing C computers, according to Symantec’s most launch the exploit in a simulated fashion 3 percent and falling. The hospital puter network. Just as preventa- tools, says 15 new network vulnerabilities recent Internet Security Threat Report. to show the nature and extent of poten- is making measurable progress to- tive medicine is critical to health are disclosed every day – that’s almost tial damage. ward all its goals. care, examining your computer, network, 5,500 a year – and those are only the ones VULNERABILITIES “Most products are defensive in na- Memorial plans over time to or data system for vulnerabilities is es- that are made public. Some lead to large Software provided by Saint Corporation ture,” Austin says. “We provide an offen- make LifeMed smart cards the cen- ter of its information system. “That’s sential to keeping it safe from digital scale damage. By the end of 2008, the can run the equivalent of a CAT scan on sive module that tests the network just another beauty – you can start as viruses and a host of other threats. Downadup (also known as Conficker) a single computer or multi-machine net- as the bad guys would.” To paraphrase a small or as big as you want and Billy Austin, chief security officer of worm had exploited a single vulnerability work and show all the vulnerabilities, time-proven adage, a few meg of pre- grow,” Carbonaro says. Saint Corporation, which provides vulner- to infect more than a million individual whether missing patches or configuration vention is worth a gig of cure.
  6. 6. majority of multi-channel merchants. online fraud evolve into opportunities conference sessions, hosted webinars, • The number of merchants falling for new business models regarding data regulatory change updates and reports on under the umbrella of e-Commerce is security and online payment strategies. today’s growing complexities of fraud, steadily increasing. The Merchant Risk Council (MRC), a electronic payments, and online security. The Electronic Commerce industry is • Online categories, industries, and ver- merchant-led trade association focused The MRC has historically facilitated in- rapidly maturing – evidenced by: tical markets are rapidly expanding on electronic commerce risk and pay- dustry networking aimed at preventing • Consumer confidence levels are at an (social networking, digital downloads, ments, is helping merchants identify and online fraud. Today, our new education all-time high for online purchasing. and gaming among many others). tackle these emerging growth issues that and advocacy programs are helping mer- • Online sales continue to out-pace all As an industry, we are seeing the tra- are unique to e-Commerce. The MRC pro- chants succeed with their online payment, Tom Donlea, Executive Director, other revenue channels for the vast ditional merchant challenges of fighting vides industry stakeholders with special security and risk programs of tomorrow. Merchant Risk Council Southwest Airlines Cuts New Tools Give Companies Fraud 50% with Accertify here’s always room for improvement. Southwest Airlines, one of the most the Upper Hand in the Fight T successful companies in the history of the industry, enjoys an unprecedented string of 36 consecutive years of profitability. Its online fraud rate was con- sistently below industry norms, but with online bookings reaching nearly 80 per- Against Online Fraud cent in 2008 (southwest.com is the number one airline website for online revenue, process is key to preventing all types of It’s a multi-billion-dollar problem the consumer according to PhoCusWright), management thought it could do better. It wanted fraud, from retail crime to social scams. a solution that was scalable, customizable, and leveraged new fraud-fighting rarely sees. But companies involved in e-com- “Companies need to strengthen their technologies without affecting the airline’s well-deserved reputation for cus- merce know all about it – they’re footing the bill. defenses by getting control of their data tomer service. and using more automation and new Southwest selected Accertify’s Interceptas platform because it was the most nline fraud. It cost U.S. retailers O line travel industry so they designed Ac- technologies in their fraud prevention comprehensive and flexible fraud-prevention platform in the industry. Interceptas more than $4 billion last year certify’s software from a merchant’s point programs,” Long says. “By choosing a so- was implemented in June 2008, providing a workbench platform that integrated alone. But the problem affects of view. “Accertify offers the first end-to- lution that is designed to be flexible and all of the best-practice tools and key components required for a complete fraud more than merchants. The anonymity of end application to manage e-merchant integrates multiple fraud-fighting prevention program. Implementation was quick and simple. Robust data manage- the Internet provides an easy environ- risk,” Long says. “Previously, clients had processes and tools, they will see a re- ment enabled Southwest to access 30 times more data in its screening process. The ment for fraudsters to scam almost any to establish relationships with multiple duction in fraud losses more quickly and increase in available data paved the way for applying new business rules. The new type of organization, including airlines, vendors, which was cumbersome and in- be able to adapt to new fraud schemes platform streamlined a cumbersome manual review process and eliminated the hoteliers, government agencies, providers efficient. We offer a fully integrated plat- as they occur.” need to use the passenger reservation system and other internal systems for re- of digital downloads and multi-level form that focuses on work-flow and Accertify has worked with Southwest views. A simple point-and-click process enabled Southwest to completely cus- marketing companies. Social networks closes the gaps fraudsters slip through.” Airlines to reduce its online fraud rate by tomize the user interface in less than a day. The integrated nature of Interceptas have become targets for international According to Long, the importance of 50 percent in four months. Other clients has also facilitated transaction resolution and chargeback processing. con artists who misrepresent their iden- data management is often overlooked in include Urban Outfitters, Tickets.com and The result? A significant reduction in fraud, leading to real bottom-line savings. tities to steal from other users. combating fraud. Companies typically keep 1-800-FLOWERS.COM. Interceptas has provided Southwest with a clear return on investment. Four According to Michael Long, chief prod- data from customer profiles, registrations, Long points out that the real cost of months after implementation (the company’s normal chargeback cycle), South- uct strategist at Accertify, Inc., reining in purchases, merchandise returns and his- online fraud goes beyond disputed or- west saw a 50 percent reduction in its fraud rate as a percentage of sales, and in fraud can have an immediate and long- torical transactions stored in different ders and chargeback penalties. Manual revenue losses due to fraud. Since then, the fraud rate has continued to decline. lasting impact on the bottom line. Long places, files and formats. Analyzing and order review is expensive and slows cus- and his fellow founders worked in the on- importing all this data into the prevention tomer service. ‘Smart’ Solution for Health Care IT Modernization Smart cards – plastic cards embed- cure from those who don’t,” Vanderhoof changed information. By authenticating control over their health care information, T he need to bring the health care industry’s information systems ded with microprocessors – address sev- says. “Imagine not having to fill out the the patient and the insurer, they can cut and it starts building toward 100 percent into the 21st century is well eral of the critical issues facing the same form every time you go to the down on medical fraud. And the software accurate and complete medical records.” known. President Obama recently ear- health care industry, according to Randy doctor or the hospital. That’s just the behind them can talk to multiple data- “Smart card technology has been marked $18 billion to drive the process Vanderhoof, executive director of the beginning of what smart cards can do.” bases, making medical information truly around for years, it’s proven,” Vanderhoof forward. What’s perhaps less well ap- Smart Card Alliance. “Smart cards can Smart cards use sophisticated encryp- portable. “Think of it as a secure, portable says, pointing to employee and govern- preciated is that the technology re- capture patient information electroni- tion and two-part authentication to give database with translating capabilities,” ment ID cards as examples. “Smart cards quired to put health care records online cally – eliminating 90 percent of the pa- patients control over who has access to says David Batchelor, CEO of LifeMed Card, provide a secure identity platform when in a simple, secure and accountable perwork – and make it available to their personal information. They provide an Inc., a supplier of smart card solutions to they start architecting the new health manner already exists. those who need it while keeping it se- audit trail, recording who has added or the health care industry. “It gives patients care IT systems.”
  7. 7. INFORMATION SECURITY Ask the Information Security Experts Darrell Covell, Founder/CTO Paul Sop, Chief Technology Jeffrey Liesendahl, Chief Dan DeBlasio, Director of Dale Grogan, Director of Smart Rsignia, Inc Officer, Prolexic Technologies Executive Officer, Accertify Business Development, Identity Card Initiatives for LifeMed and Access Management (IAM) Card, Inc What do you believe is the biggest What does the future of cyber-warfare, What trends are you seeing in online Americas, HID Global threat in Cyber Security today? and more specifically cyber-defense, fraud prevention? How can smart cards improve security look like? How does "Risk-appropriate" authenti- in healthcare? First, acknowledge the reality of cyber Cybercrime is a global problem. Crimi- cation increase the value of security in terrorism. Stop hiding behind politically A couple of trends are at work. The at- nals are increasingly organized and so- A patient’s healthcare information is an organization? correct/safe terms such as “cyber secu- tackers keep getting more sophisticated. phisticated in using false identities to stored everywhere – at hospitals, physi- rity” and expose it for what it really is: They’ve gone up against most of the steal money and goods via the web. So The usernames and passwords that or- cians’ offices, pharmacies, insurance Cyber Warfare! Russian cybergangs suc- commercially available technological de- retailers, government agencies and ganizations use to protect their comput- companies – the list goes on. Unfortu- cessfully shut down Georgia’s entire in- fenses, and attackers know what they’re other organizations doing business on- ers and networks are too easily guessed, nately, this sensitive medical information frastructure. We cannot delay implemen- dealing with. Attackers increasingly work line have to be more proactive in pro- shared or stolen. “Strong Authentication,” is susceptible to theft; one of the fastest tation of cyber offensive capabilities. As for sponsors. They keep launching attacks tecting themselves and their customers, which requires devices such as a smart growing segments of identity theft is we move to 10GigE, upward of 40GigE we as long as their sponsor pays them. This especially in the current economic en- card or a one-time password generation medical information. Thus, protecting need technologies that support such. Sec- means it will keep getting harder to put vironment. Companies are doing every- token, increases security, but has been ex- medical information is vital. Data on ond, we need to expose vulnerabilities as the actual attackers in jail, and we are thing possible to improve the online ex- pensive. With “Risk-appropriate” authen- smart cards are heavily encrypted, provide these come not only from the outside but still left with the problem of how to de- perience for consumers and maximize tication, businesses use a blend of tech- accurate identity confirmation, and act as also from within. Rsignia has offensive fend against their attacks. Fundamen- e-commerce revenues. But they also nologies based on the location of their a secure entry point for medical retrieval cyber solutions available today providing tally, we have to engage the bad guys in have to make more efficient use of lim- users and the value of the information from multiple sources. As medical records sophisticated engineered solutions to the cloud, on the Internet, before their ited resources and eliminate opera- protected. Frequent travelers might use become more widely distributed, (vis a vis these vulnerabilities. Exposing vulnerabil- attacks get near their victims. Fighting tional costs. They are focused on initia- smart cards, while their office-based col- President Obama’s $18 billion initiative to ities without a solution is irresponsible. these attacks requires much more than tives with a quick return on investment. leagues would use their physical access fund Health Information Exchanges) the Rsignia works closely with the intel com- technology. You need battle-hardened Online fraud prevention is a critical badges, along with a personal identifica- need to accurately identify and track pa- munity as our engineers address current pros, real people who’ve analyzed all the area to address because companies can tion number (PIN), to access their PCs. tients, persons contributing patient infor- cyber warfare issues such as ID spoofing, different styles of attacks out there, peo- achieve results almost immediately. It’s This “convergence” of physical and logical mation, and users of that medical infor- location attribution, fibre tapping, sonet ple who very likely can recognize who about more than cutting fraud losses access is gaining popularity as it allows mation becomes more crucial. The point: capture, layer correlations, IDS with GUI they’re going up against. Victory today is and fraud-related customer complaints. business to comply with industry IT secu- smart cards help ensure patient medical interfaces that utilize current open source making the attacker lose interest. That’s It’s also about increasing accuracy, ef- rity regulations using assets that have al- record security and have been proven to solutions. These are new offensive cyber more and more a matter of psychology ficiency and productivity of fraud- ready been paid for. With this approach, be an unparalleled portable medical warfare solutions, where the old toolsets and technology. There’s no panacea. As fighting efforts so the issue doesn’t the overall level of security in an organi- record device that provides accurate pa- cannot keep up. We need an aggressive the attacks get more customized, the de- damage profitability, expansion plans or zation is increased, while technology in- tient identity, reduces fraud, while forward thinking stance. fenses have to respond in kind. brand reputation. vestments are appropriately controlled. streamlining patient registration.

×