Identity Theft… …or a Lack of Management A 50,000 Foot Technology View of this Business Tsunami Maryland Chamber of Commerce Conference 2007 Cambridge, MD Presented by: Brian Dilley - President / Founder eValid8 Corporation CISA / CGEIT / MBA Accredited Auditor
Agenda Introduction Legal Precedent Snap Shot Technology Solutions Independent Validation Logical Solutions Physical Solutions What it is going to Cost YOU! Frontline Report Open Mic
Introduction Mr. Brian Dilley - Your Speaker President Certified Information Systems Auditor Accredited Mortgage Bankers PKI Auditor Member – Information Systems Audit and Control Association (ISACA) Member – ISACA Maryland Chapter Board Member – Howard County Chamber of Commerce 24 years of Experience Cryptographer, IT Security Specialist, PKI Expert Active PKI Internal / External auditing activities FISMA SP Assessor Identity Management – Global / Federal / State / Commercial IRS Privacy SME
Legal Precedent Revised TJX Settlement To Offer Customers Vouchers Or Checks After a federal judge raised concerns about a proposed TJX settlement stemming from an intrusion into its systems that compromised 45.7 million credit and debit card numbers, the deal has been revised to offer customers a choice of a $30 store voucher or a $15 check, according to this Boston Globe article. The company has estimated that it expects breach-related costs of about $256 million. The story indicates that the litigation outcome could set a precedent ($5.00 per record) for other similar breach-related cases. LATEST NEWS IS THAT THE BREACH COULD EXCEED 94 million CREDIT CARDS – FINES WILL INCREASE
Snap Shot Maryland Personal Information Protection Act 8 Sections Definitions Customer Obligations Protections Breach Provision Notice Business Affiliate Violation Good News (yada yada yada … If you comply with GLBA, Federal Fair & Accurate Transaction Act, Federal Interagency Guidelines Establishing Information Security Standards, Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice you meet the intent of SB 194 and are covered…what analysis have you conducted ?????
Technology Solutions Encryption In transit (electronic or physical) In storage (long or short term) , Documents, Tokens, Biometrics, RealID, HSPD12, PKI, Strong Authentication – all based on cryptography and/or digital certificates Authorized Access Permissions and Rights Vetting Permissions / Issuing IDs
More Technology VPNs Dedicated Lines Encryption Session Termination SSH / Credential logons Algorithms AES, SHA-1 or greater – RC4 can be beaten SSL / TLS HTTPS Firewalls Ports & Protocols Only open what is needed Logs Audit, Review, Report, Investigate
Technology Statements Logon Warning Banners Allows prosecution, Due notice has been given Privacy Statement Website – Do you have one? Retention Policy – See Vangel Paper Period required by contracts or law Access / Authorization / Documentation Destruction SHRED! SHRED! SHRED! Removal, minimize what is to be stored & retained IT Security and Privacy Protection touches every business sector today
Organization IT Plans IT Documents & Plans Privacy Statement System Security Plan Business Continuity Plans Backup / Archive Plans Retention Policies Destruction / Disposal Policy Transmission / Transportation Policy User Policy / Authentications Independent Audits / Assessments Plan of Action & Milestones
Controls Technical, Logical, Physical All families of protection come into play Comprehensive Plan Implementation of Plan 3 rd Party Validation of Plan - eValidated™ Physical Controls Gates, Guns, Guards, Doors, & Locks, If you have those then the hard work begins Log Books Documentation of all events, prompt reporting Training Awareness Dust the cobwebs off All professionals go to training to keep their skills up Accountability Personnel / Management
Independent Validation HAVING NO PLANS IS NOT BETTER Due diligence prevents lawsuits based upon negligence LAWYERS HAVE IDENTIFIED THIS AS ANOTHER ABESTOS HEYDAY FOR THEIR INDUSTRY This time all businesses are in play – IT crosses all industries
Certified IT Auditors Right Profession for the Right Engagement ISACA – ANSI Accredited CISA CISM Trained Professionals Security and Privacy separation of duties provides management with a check and balance Global Recognized Professionals Continuing Education Units
What it is Going to Cost You! Penalties Applicable Laws – Varies, but are accumulative Credit Monitoring Cost $100 * 100K User Database = $10,000,000 Notification Cost $0.41 * 100K User Database = $41,000 Required improvements $5,000 - $100,000,000 Legal Defenses, Seniors IT Professionals This is for one minor database being lost!
More $$$$$$$$$$$$$$$$$$ Lawsuits Not only from individuals, but companies that have entrusted their information to you The sky is the limit – Tort Law prevails Trained Professionals Over $100K per year, per professional – local business level U.S. Government pays over $250K per year, per professional Conservative Estimate, lets assume 400,000 specialists $100,000,000,000 per year Based on 3,000,000 Federal (Non-DoD) employees by the Census Bureau (2005) i.e. DHS employs over 800K employees as of 2006
More $$$$$$$$$$$$$$$$$$ Business against Business VISA, MasterCard, American Express Healthcare Privacy Information retained Consumers against Business Clients Lawyer growth industry This will be an emerging trend for litigation and restitutions Privacy tied to security solutions Legal Ramifications on Two Fronts
Frontline Report Old practices are what makes it work Watching, all the time Awareness improves behavior, improves response times Accountability and Responsibility Independent Assessments – Regular basis Technology Part of the solution Scales Provides Strong protections / authentication / logging Electronic Non-Repudiation
More News… People Biggest Exposure and Solution Component Physical & Cyber Security Have got to work together Old perceptions and paradigms must be broken Jobs will not be replaced by technology Securityenables Privacy --> Privacyenables Trust --> Trustenables Business!
Open Mic Contact Information (If you want a copy) eValid8 Corporation Phone: Fax:
Where are those files? Business Landscape
References GAO Report – Identity Awareness President’s Strategic Plan U.S. Government Identity Theft Website NIST IT Security Publications Maryland Law