2. Questions we will explore: What is Security? Why is it relevant? What does it cost?

3. Who are you, Who am I Bank of America fraud investigations, identity theft and national fraud team. Policing and physical security training. Worked with computer security for almost 9 years. Software developer w/ Collin Couch & portal team.

4. Who are we? Meeting Format Reoccurrence SIG goals The goal of this group will be to discuss and obtain hands on experience with security concerns pertaining to web application development. Focus will be on understanding the principles of security and advancing those principles in our current environment. This will be accomplished through: implementing security best practices, auditing our current environments, and being departmental advocates of software security

5. What is Security? Real Terms: Confidentiality of information (secrecy) Data or information integrity (accuracy) Availability of information (generational) To secure something, means to make it safe and to be confident in that safety.

6. Security as a principle Application security principles are collections of desirable application properties, behaviors, designs and implementation practices that attempt to reduce the likelihood of threat realization and impact should that threat be realized. Security principles are language-independent, architecturally-neutral primitives that can be leveraged within most software development methodologies to design and construct applications. Principles are important because they help us make security decisions in new situations with the same basic ideas. By considering each of these principles, we can derive security requirements, make architecture and implementation decisions, and identify possible weaknesses in systems. http://www.owasp.org/index.php/Category:Principle

7. False Assumptions Security is complexity Obscurity is security The risk isn’t real The infrastructure won’t fail me Internal threats don’t exist

8. Why is this relevant? The number of US adult victims of identity fraud decreased from 10.1 million in 2003 and 9.3 million in 2005 to 8.9 million in 2006. Javelin/Better Business Bureau Survey - January 2006

9. Reality Check Education-related organizations account for nearly one-third, 31%, of all the data breach incidents reported in U.S., although the Education Sector makes up 0.6% (at least) to 13% (at most) of all entities in the U.S. Education-related organizations reported more than 12.4 million student and consumer profiles have been compromised in 324 breach incidents, which account for more than 25% of all profiles compromised through “typical” information security breaches. Source: How Safe are we in our schools?, Joseph E. Campana PHd (2008) http://www.jcampana.com/JCampanaDocuments/EducationSectorDataBreachStudy.pdf

10. Breach incidents 2008 * SectorCount of Incidents Business144 Education103 Government79 Medical56 Total382 Some studies show as high as 656 breaches, at a total of 35,691,255 million accounts ** http://www.privacyrights.org/ar/ChronDataBreaches.htm#2008http://www.privacyrights.org/ar/ChronDataBreaches.htm#2008 * http://www.idtheftcenter.org/BreachPDF/ITRC_Breach_Stats_Report_2008_final.pdfhttp://www.idtheftcenter.org/BreachPDF/ITRC_Breach_Stats_Report_2008_final.pdf **

11. Hacker perspective Let’s looks at our data from a data thief's perspective The identity bundles consisted of a name, address, Social Security number, and at least one bank or credit card account. Prices ranged from $14 to $18 per identity. http://www.internetnews.com/security/article.php/3666531 Source: Identity Theft Resource Center On average, criminals obtained $5,720 in goods and services from each fraud victim. http://www.privacyrights.org/ar/idtheftsurveys.htm

12. Costs to Business Studies on the total cost of identity theft vary. One study said that identity theft cost U.S. businesses and consumers $56.6 billion in 2005. According to one expert, the loss or theft of just one laptop can cost a company as much as $90,000 or more in fines, credit monitoring for victims, public relations damage control, and class action litigation. According to the U.S. Department of Justice Statistics, identity theft is now passing up drug trafficking as the number one crime in the nation. iii A preliminary study done by ITRC shows that the majority of id theft criminals are repeat offenders. Other convictions include substance abuse, narcotic trafficking, violent crime, robbery, and immigration issues. Source: Identity Theft Resource Center

13. Costs to Business p.2 Possible loss of jobs and budgets: I estimate that these initiatives will require approximately $5.5 to $8 million, of which $2.5 million will be ongoing and $3 to $5.5 million will be one-time costs. Sources for these funds can include the $4 million allocated by the Board, as well as the existing IT budget. http://www.ohio.edu/outlook/05-06/July/611-056a.cfm http://www.ohio.edu/outlook/05-06/July/611-056a.cfm More recent: In the second quarter of fiscal 2008, the Company recorded an after-tax cash charge of approximately $118 million, or $.25 per share, with respect to the previously announced computer intrusion(s). (CIO - TJMAX) http://www.businesswire.com/portal/site/tjx/index.jsp?epi- content=GENERIC&newsId=20070814005701&ndmHsc=v2*A938775600000*B1187233541000*C4102491599000*DgroupByDate*J2*N1001148&newsLang=en&beanID=180947 6786&viewID=news_view

14. Breach Losses The Unisys’ study also reported that 69% of those survey said they would stop using a site that lost their personal information. Forrester Research Firm did a study entitled “Calculating the cost of a security breach.” iv In this study the following data was reported: Of 83 corporate IT managers, 28 acknowledged having to cope with a data breach The costs of a data breach vary widely ranging $90 to $305 per customer record, depending on whether the breach is “low-profile” or “high-profile” and the company is in a non-regulated or highly regulated area, such as banking. In counting up costs, Forrester estimated the cost at $50 for the discovery, notification and response that brings in unexpected expenses associated with legal counsel, call centers and mail notification. It also noted a lost employee productivity that would range from $20 to $30 per customer record. Source: Identity Theft Resource Center

15. Customer Effects Time Closing exiting accounts Working to resolve fake charges Filing a complaint with the FTC Filing a report with your local police department Potentially apply for new SSN New & Other Existing Non-CC Existing CC All ID Theft Victims’ Out-of-Pocket Expenses Median $40 $0 $0 $0 90th Percentile $3,000 $900 $132 $1,200 95th Percentile $5,000 $1,200 $400 $2,000 http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf

16. State Laws http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf Most states have individual laws that require compromised companies to notify their customers or face heavy penalties and in some cases even time in jail if not met within set time frames.

17. Making a difference

18. Staff Training and Awareness: many important solutions are less about technology and more about people being smart and aggressive Administrators and Managers Need Information: all projects and services need to take security into account Always Understand the Risks: No system is 100% safe so understand what’s protected and to what degree Review the Data You Store: What information do you store and how long to you keep data copies Management Suggestions

19. Developer Suggestions Review Your Server Logs: Servers record everything that they are doing, watch for warning signs that may indicate foul play Audit your own systems: Do unto your self what others may do unto you (and do it before they do) Learn the best practices: http://www.owasp.org/index.php/Main_Page http://www.asp.net/Learn/Security/ http://www.whitehatsec.com/home/solutions/bestpractices.html