Presentation is loading. Please wait.

Presentation is loading. Please wait.

Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, 2004. This work is the intellectual property of the.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, 2004. This work is the intellectual property of the."— Presentation transcript:

1 Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 2 Our Systems Are Under Constant Attack Trojan horses Worms Viruses Spam Hackers Disgruntled insiders Script kiddies

3 3 Some of These Attacks Succeed Spectacularly Loss of personal data Outages Potentially huge costs: –Productivity loss (user and IT staff) –Remediation –User notification –Bad publicity, loss of credibility –Lawsuits? See “Damage Control: When Your Security Incident Hits the 6 O’Clock News” www.educause.edu/ir/library/ra/EDU0307.ram

4 4 IT Security Risks Escalate More and more important information and transactions are online: –Personal identity information –Financial transactions –Course enrollment, grades –Tests, quizzes administered online –Licensed materials –Confidential research data We must comply with increasingly strict regulations: –Health information - HIPAA: http://www.hhs.gov/ocr/hipaa/ http://www.hhs.gov/ocr/hipaa/ –Educational records - FERPA: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

5 5 Specific Example: Student Information System Online enrollment, schedule, grades FERPA protected information Available to hackers Q: What if someone hacks your authentication system and potentially downloads grades from thousands of students? A: You are probably obligated by law to notify every individual whose grades may have been exposed!

6 6 How Can PKI Help? One example: –A better solution for network authenticaiton

7 7 Users HATE Usernames and Passwords Too many for them to manage: –Re-use same password –Use weak (easy to remember) passwords –Rely on “remember my password” crutches Forgotten password help desk calls cost $25 - $200 each (IDC) and are far too common As we put more services online, it just gets worse…

8 8 Usernames and Passwords Require Expensive Administration Many different username/password schemes to learn, set up, and administer: –Backups, password resets, revoking access, initial password values, etc. Multiple administrators have access to usernames/passwords – many points of failure Each forgotten password help desk event costs $25 - $200 (IDC report)

9 9 Password Sharing Corrupts value of username/password for authentication and authorization. Users do share passwords: PKI Lab survey of 171 undergraduates revealed that 75% of them shared their password and fewer than half of those changed it after sharing.

10 10 PKI’s Answer to Password Woes Better security Lower overall cost Convenience for the user

11 11 PKI Provides Two Factor Authentication Requires something the user has (credentials in their possession) in addition to something a user knows (local password to unlock the credentials). Significant security improvement, especially with smartcard or token (a post-it next to the screen is no longer a major security hole). Greatly reduces password sharing (need to share credentials too).

12 12 PKI Passwords Are User Managed Stored in user’s posession, NOT on network User carries only copy of the password, changes it with no administrator or network involvement One password per set of PKI credentials Likely only one or two sets of credentials per user (securely reduces number of passwords) Only one type of password to be forgotten, and it’s used constantly so not likely forgotten

13 13 Underlying Key Technology Asymmetric encryption uses a pair of asymmetric keys, each is the only way to decrypt data encrypted by the other. One key is private and protected, the other public and freely distributed. In authentication, the client proves its identity by its ability to encrypt or decrypt something with the private key on demand by the server. Private key and password always stay in the user’s possession.

14 14 Server Administration Simplified Just implement PKI authentication (standard in many server applications) No need to provision, maintain, synchronize, reset, back up passwords PKI infrastructure cost factored across many applications = significant savings

15 But Wait There’s More… It slices, it dices… Beyond Authentication, PKI Enables Digital signatures allow business automation. Encryption protects data from all but intended recipients. S/MIME combines the two for vastly improved email security.

16 16 PKI Benefit: Digital Signatures Our computerized world still relies heavily on handwritten signatures on paper. PKI allows digital signatures, recognized by Federal Government as legal signatures: –Reduce paperwork with electronic forms. –Much faster and more traceable business processes. –Improved assurance of electronic transactions (e.g. really know who that email was from). Federal digital signature information: http://museum.nist.gov/exhibits/timeline/item.cfm?itemId=78

17 17 Dartmouth PKI Lab R&D to make PKI a practical component of campus networks Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). –Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.

18 18 Production PKI Applications at Dartmouth Dartmouth certificate authority –890 end users have certificates, –639 of them are students PKI authentication in production for: –Banner Student Information System –Library Electronic Journals –Tuck School of Business Portal –VPN Concentrator –Blackboard CMS –Software downloads

19 19 For More Information Outreach web: www.dartmouth.edu/~deploypki Dartmouth PKI Lab PKI Lab information: www.dartmouth.edu/~pkilab Dartmouth user information, getting a Dartmouth certificate: www.dartmouth.edu/~pki Mark.J.Franklin@dartmouth.edu I’ll happily send copies of these slides upon request.

Download ppt "Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, 2004. This work is the intellectual property of the."

Similar presentations

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
© Copyright Computer Lab Solutions 2006. All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August.

Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August.
Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.

Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.

PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.
Problems With Centralized Passwords Dartmouth College PKI Lab.

Problems With Centralized Passwords Dartmouth College PKI Lab.
1 Extending Authenticated Online Services with Friend Accounts at Washington State University Brian Foley Technology Architect/Application Developer.

1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.
Copyright Statement Copyright Robert J. Brentrup 2005. This work is the intellectual property of the author. Permission is granted for this material to.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith 2002. This work is the intellectual property of the authors. Permission is granted for.

Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith This work is the intellectual property of the authors. Permission is granted for.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.

The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google