3 BANKS SEEK TO BALANCE SECURITY AND CONVENIENCE presented by 4 ID THEFT BECOMING RARER BUT MORE COSTLY 6 BIOMETRICS MAKE INROADS Insights:Security IN PC AND LAPTOP SECURITY IN THIS ISSUE MARCH 2006 PUBLISHED BY DOW JONES Small Data Breaches Have Greater Impact BY TERRI CULLEN wo scenarios: a) You’re notified Data Theft, Competition Tby an online retailer that you’re among millions of customers whose account information was lost or Big Issues In Security stolen; or b) you learn a former staffer has stolen employee names, addresses and Social Security num- bers from your small business. Which As the government ratchets up pressure on the market, one puts you at greater risk for iden- tity theft? security firms are struggling to fight the identity theft ‘panic.’ If you chose “b,” you’d be cor- Meanwhile, Microsoft is shaking up the industry as it prepares rect, according to a recently released study by ID Analytics, a San Diego for a major security software offensive. BY MARK BOSLET company that helps companies com- bat fraud using pattern-recognition ATA SECURITY CONTINUES TO BE A MAJOR a separate anti-spyware product for the business technology. The company examined source of concern at U.S. businesses. Yet, market. billions of bits of identifiable infor- security products haven’t been able to According to industry sources, Microsoft’s mation, such as Social Security num- Doffer dramatic new steps to protect data. new Vista version of Windows, due out in late bers, cellphone numbers, dates of The situation has companies deploying September, will have a built-in “shopping cart” birth and credit-card account num- incremental - albeit more sophisticated - meas- that could help spread the OneCare Live serv- bers, from consumers who were vic- ures to guard sensitive information as they ice. The shopping cart will target consumers and tims of security breaches. The study debate what security innovations - and leg- allow for one-click purchases of anti-spyware analyzed four cases of security islative requirements - will follow. and anti-virus, said one industry source. breaches, two involving the theft or The debate continued recently at the RSA For a new generation of security profes- loss of sensitive data, including Conference 2006, one of the security industry’s sional, however, identity theft is the most chal- names and Social Security numbers, largest shows, where 275 companies exhibited lenging new threat. In the past year alone, 52.6 and two involving credit-card and approximately 14,000 people attended. million Americans had personal information account information only. Microsoft Corp. Chairman Bill Gates and Cisco compromised, according to the Privacy Rights Turns out size does matter: The Systems Inc. Chief Executive John Chambers Clearinghouse, a non-profit consumer infor- study found that individuals involved were among the speakers at the San Jose event. mation organization. Few companies are in mass data security breaches are This year’s conference also saw a security immune. less likely to have their information landscape more complicated by the expanding “With one out of five Americans being hit, misused than victims of smaller data role Microsoft will play as it unveils key initia- there is a panic in the industry,”said Eric Drew, breaches. tives this year. The software giant said recently founder of Knightsbridge Castle Inc., a software The sheer volume of consumers that its Internet Security and Acceleration developer focusing on the identity-loss market. affected slows identity thieves Server 2006, an important firewall product for The problem is indeed severe enough that down, said Mike Cook, vice presi- the business market, went into public beta test- the government is stepping in. Twenty-three dent of product services at ID Ana- ing prior to commercial release. The company states already have laws requiring public noti- lytics and one of the company’s also talked up technology it bought from pri- fication when personal data is stolen, and three co-founders. “We applied identity vately held FutureSoft Inc. to filter malicious or four bills are now pending in both the Sen- theft to real work terms, eight-hour messages from Web traffic and unveiled pricing ate and House. days, with breaks and vacation time, for its widely anticipated consumer anti-virus A national bill could emerge this year, said and found that it would take a fraud- service, OneCare Live. Paul Kurtz, executive director of the Cyber ster 40 years to work a million stolen A one-year subscription to OneCare Live Security Industry Alliance, an industry associ- IDs,” he said. will be available in June for a $49.95, and the ation. The impact could be significant.“It really Some disclosure: ID Analytics, product will include the Defender anti-spy- is a crossroads,” said Kurtz. “Businesses can CONTINUED ON PAGE 10 ware and a data-backup program. Microsoft has CONTINUED ON PAGE 12 INSIGHTS: SECURITY MARCH 2006 1 UNISYS EXPERT ADVERTISEMENT tion and proposes a simple model that industry Interoperability simply means that if you want can readily adapt to its unique requirements. to use your identification document in another Industry can also look to the financial sector for state or country, the other state or country guidance in this area as financial institutions must be able to read it. HSPD-12, mentioned have considerable experience to share with earlier, mandated the establishment of a fed- regards to secure credit card production and eral standard (i.e., Federal Information issuance. However, the most important aspects Processing Standards Publication 201, a.k.a. that must be addressed are the non-technology FIPS 201) for vetting federal employees and issues such as policies, procedures and prac- contractor identities; providing secure and reli- tices. Private sector companies must imple- able forms of identification for federal employ- ment their systems based on the desired level ees and contractors; and lastly, the use of a John Souder of security, and describe where, how and when common credential for gaining access to feder- Vice President of personal data is stored and used. Transparency ally controlled facilities and logical access to Identification Solutions will help reduce anxiety and fear. federally controlled information systems. FIPS How might security and privacy be 201 will become the de facto standard and will improved through the use of advanced card How would a database be safeguarded from ultimately be adopted by international govern- technologies like smart cards? tampering and theft? ments for identification and credentialing initia- A decade ago, I worked more closely with law Technology is available that allows companies tives as it addresses identity management life- enforcement agencies, where I was involved in to encrypt database information so anyone with cycle processes from vetting and enrollment to the training of latent print examiners. Through access to the data on a normal day-to-day verification of identity using biometrics, public that experience, I learned a lot about the types basis would only see the items they are author- key infrastructure and smart card technologies. of cases that came through the crime laborato- ized to view; the rest would remain hidden. The ries. What was interesting was to see how per- data is also protected from accidental release Are there any examples of multi-purpose petrators came across their victims. One of the and theft, thus providing additional protection. identification credentials in use today? scenarios related to driver licenses - where Another interesting feature that this technology There is one high profile project, the "MyKAD" someone might see your address on the front can now provide is the ability to de-identify cer- project in Malaysia—the first multi- purpose of your driver’s license at the grocery store and tain data for research or analysis purposes. smart card project for a government identity then commit a crime against you or your prop- Doctors and medical researchers still need program. When Malaysia defined the project a erty. There was vulnerability in those days but continued access to medical information for number of years ago, was thinking ahead to from a different aspect. Today, identity theft and research purposes. Unfortunately this data also prepare for a high-tech country and industry. It fraud are growing rapidly. As a result, we need contains social security and other personal wanted a credential to use once the infrastruc- to look at this from a holistic viewpoint. Smart information that might be misused or misappro- ture was in place so that one card could func- cards can offer more protection by encrypting priated. However, by only allowing access to tion as a national identification card, a driver’s the personal data on a driver’s license and certain data elements, the information that can license, an immigration card and a healthcare encoding it into a chip inside the card. This link an individual to the specific data remains card, along with providing an electronic cash increases privacy for people and gives them separate (de-identified) and encrypted. Of capability. In addition, MyKad provides storage more security when they are using their identi- course, it’s more expensive to do this as men- of digital certificates to encrypt and digitally fication or credit cards. Often, when you go to a tioned earlier. But it is likely less costly than the sign electronic transactions. Hong Kong retail store, you are asked for your driver’s potential damage to companies who allow data recently created a similar smart card program license along with your credit card, exposing to be compromised and exposed. If it wasn’t for and in the 1990s, Spain started a similar multi- your personal information to the potential for California’s Security Breach Information Act media oriented program with its TASS card for fraud.