Security & Privacy

licoricebedsSecurity

Feb 22, 2014 (3 years and 6 months ago)

106 views

Security & Privacy

Cost, Complexity & Compliance Issues for State Governments

February 22, 2014


2

© 2005 BearingPoint, Inc.

Reality Check?

Nearly all Vulnerabilities & Threats in 2004 (viruses, trojans, worms,
malware, etc) were designed to insert an agent for internet crime….

Data is now the target
.


4

© 2005 BearingPoint, Inc.

2005 Security Breaches


5

© 2005 BearingPoint, Inc.

Easy Targets

Source: 2004 AOL & NCSA Survey


50% of home broadband users
do not

have a firewall (67% if dial
-
up is included)

40% home wireless networks are wide open!

Malware continues to hit PCs


2/3 of home users had not updated their virus software within
the last week


15% reported having no antivirus software


Nearly 20% were infected with a virus


63% had been hit with a virus before


Spyware is on the rise


80% of home computers were infected


88% did not know it


Average infected computer had 93 components


95% said they never gave permission for the programs to be
installed


84% had financial & health info on the PC


75% used home PC for banking, shopping


6

© 2005 BearingPoint, Inc.

Easy Access


“An estimated 60 billion
emails were sent in 2004”
IDC


“83% of email is Spam”
Messagelabs 2004



“A 3,000 user organization
generates 1,032 Terabytes of
email data per annum”

IDC
2004



“Email stores are growing on
average 37% per annum”

Osterman Research 2004



“$4 Billion spent, annually, on
technologies to fight email
threats”
CFO Magazine



“52 Billion spam messages
and 900 Million viruses will be
emailed each day in 2005.”
Radicati Group


“Malicious “payloads” now
delivered in the form of
viruses, trojan horses, etc.
Virus ratio in email:”


“The rate at which new hosts
are “zombied” rose from
2,000 per day to 30,000 per
day during the first 6 months
of 2004”
Symantec


Sample Virus Effect: Code Red

Source: CAIDA


7

© 2005 BearingPoint, Inc.

Easy Rewards

2003

ID Theft

5.6% (approx 12
million)

Credit Card Theft

13.3% (approx 28
million)

Check Fraud

10.4% (approx 22
million)

2004

ID Theft

6.8% (approx 14
million)

Credit Card Theft

18.2% (approx 39
million)

Check Fraud

10.2% (approx 22
million)

Identity theft and identity
-
related fraud
continues to grow, with approximately 14
million adults reporting identity theft events.

Source: STAR


Phishing

customers are
contacted by by fraudsters via
email (or phone) and are led to
provide personal information
such as SS# or financial account
data


Approximately 43% of adults
(roughly 91 million) have
received a phishing contact.


37% (approx 78 million)
received phishing email


19% (approx 40 million)
received a phishing phone
call


5% of adults (approx 4.5
million) contacted by phishing
fraudsters
provided
requested personal data



8

© 2005 BearingPoint, Inc.

State Security Breach Bills

AL

MS

LA

FL

TX

OK

GA

SC

NC

TN

KY

MO

KS

IL

AR

IN

OH

WV

VA

PA

MI

WI

MN

IA

NY

ME

NH

VT

MA

NJ

CT

RI

DE

MD

NE

SD

ND

MT

WY

CO

NM

AZ

UT

NV

OR

ID

WA

CA

*

SD

AL

MS

LA

FL

TX

OK

GA

SC

NC

TN

KY

MO

KS

IL

AR

IN

OH

WV

VA

PA

MI

WI

MN

IA

NY

ME

NH

VT

MA

NJ

CT

RI

DE

MD

NE

SD

ND

MT

WY

CO

NM

AZ

UT

NV

ID

CA

SD

WA

OR

Proposed laws

No Proposals

Existing &
Proposed laws

AK

AK

Restrictions and permissions
for outsourcing sensitive
consumer data may be next


9

© 2005 BearingPoint, Inc.

Higher Expectations


State & Local governments are increasingly turning to electronic means
for transactions (obtaining a hunting license, renewing a driver’s
license). Benefits include the reduction of staffing and other overhead
costs. However, with the benefits come the challenge of ensuring that
individuals are who they claim to be.


E
-
Government initiatives must meet citizens’ expectation that the state
will protect individuals’ personal information, keeping it safe from
unauthorized disclosure or use and reducing the risk of identity theft.


Key points for states & local government to address to maintain privacy
during the E
-
Government initiatives process include:


Properly assess potential risks to privacy that authentication
may pose and choose an authentication method that addresses
that risk level


Raise awareness of authenticated individuals as to potential
privacy issues


Limit the amount of personal information an individual must
divulge for authentication purposes


Understand the benefits and privacy risks involved in using a
common identifier (such as a Social Security Number) across
multiple government applications or linking citizens’ information
across multiple state systems



10

© 2005 BearingPoint, Inc.

Privacy & Security


Complex Landscape

Other?


11

© 2005 BearingPoint, Inc.

Privacy Barometer

Privacy Journal rates the
states on several factors,
including whether they
protect privacy in their
constitutions, have laws
protecting financial,
medical, library, and
government files, and
have fair credit reporting
laws stronger than the
federal law. Points are
added when the highest
court in the state has a
strong record on privacy
and deducted for anti
-
privacy actions by state
agencies or the state
legislature
.


Source: Privacy Journal

Cost

Budget priorities continue to give way to spending on unplanned events.

Recent regulations and other compliance initiatives, coupled with a
growing concern over data privacy and security, are driving more
unplanned spending
.


14

© 2005 BearingPoint, Inc.

Challenges

Financial


Growth in number of servers


Accelerating amount of Information to
manage


Need to deploy new applications faster


Faster return on investment


Longer retention of information


Explosion of On
-
line, E
-
mail and Shared
Information


Operational


Improve operational efficiency: reduce
cost!


Lack of central management and control


Number of processes to manage


Need for shared information access


Growth and proliferation of databases and
files


Backups not getting done


Ineffective BC/DR plan


E
-
mail growth out of control



Security budgets growing
as percentage of
corporate IT spend (now
5% to 11% of IT budget)


Hard to quantify security
ROI


Multiple “point solutions”
overwhelm admin staff
and leave gaps exploited
by attackers


Business leaders
confused about need,
priorities, and technical
choices


Organizations reluctant to
purchase mission
-
critical
security systems


Patch Management costs
growing exponentially


Data becomes target of
choice


Impact


15

© 2005 BearingPoint, Inc.

Viruses: The Big Unplanned Event

Viruses

Patching Impact


Severe virus encounters required
an average of 23 person
-
days to
recover, with estimated direct costs
at an average of $81,000 per
incident.
ICSA Labs



The average company spends
between $100,000 and $1,000,000
per year dealing with the continual
onslaught of virus attacks.

TruSecure




Medium
-
sized network: 10
servers, 1000 desktops
-

Averages patches: 2 per week


Installations + Reboots = 404 per
day


Assume fast 30 minute apply and
patch


202 hours

each day to apply
patches


16

© 2005 BearingPoint, Inc.

Patchwork of Vendors Leads to Cost

Logon Management


No. of Vendors

ID Verification



38


Biometric Authentication


91

Password Management


17

Single Sign
-
On



27

Smart Card Authentication


29

Authentication Infrastructure


30

Authentication Tokens


20

Identity Provisioning & Management

37

PKI




25

Authorization



51

Web Access Control


32

Secure Messaging


No. of Vendors

Secure Document Signing


13

Secure email



79

Secure eTransactions


21

Instant Messaging


18

Spam Control



42

Confidential Data Control


37

Other




No. of Vendors

Personal PC & Devices


64

Wireless



24

External Web Site Control


18

Digital Rights



27

Multi Security Appliance


58

Policy & Config. Mgt

No. of Vendors

Policy Management


30


Network traffic management


16


Patch management


28

Software & systems hardening


6

Security Information management

27

Configuration management


29

Monitoring



No. of Vendors

Scanning & Risk Assessment


45

Traffic Analysis



22

Forensics



26

Intrusion Detection & Prevention


79

Encryption / Firewalls

No. of Vendors

Encryption
-

Storage


60

Encryption


Transit


38

SSL




36

VPN




82

Firewalls
-

Distributed


16

Firewalls
-

Perimeter


68

Firewalls
-

Personal


21

Quality of Service

No. of Vendors

Denial of Service


35

Antivirus, worm & parasite


56


Total Vendors


1,518

Source: Trusted Strategies Dec 2003


17

© 2005 BearingPoint, Inc.

Threat Realties


99% of intrusions are from known
vulnerabilities or configuration errors*


94% of break
-
ins are related to
unpatched systems*


80 new vulnerabilities published each
week:


50 new viruses


30 Operating System & Application


Patches are released every 5.5 days*


Costs to Businesses


Direct: Average $69,000 per incident


Indirect: $2.0+ M because of
Intellectual Property

loss revenue


*CERT, SANS, Carnegie Mellon University


18

© 2005 BearingPoint, Inc.

Information Growth

…while the cost of data storage decreases….


Source: IDC

The world produces 250MB of information every year for every
man, woman and child on earth.

…enabling large scale data breaches


Source: IBM

20
-
30% average information growth each year overwhelms
existing privacy & security management capabilities….

Cost of a gigabyte of storage
0.1
1
10
100
1000
'94
'96
'98
'00
'02
'04
'06
'08
Dollars
Not just data brokers and banks



Data on approximately 13.5 million
consumers has been publicly
reported by businesses, hospitals,
universities and other
organizations as lost or stolen so
far in 2005.

Source: Source: Identity Theft Resource
Center, Baltimore Sun, June 8, 2005)



19

© 2005 BearingPoint, Inc.

What Is Data Worth?

Data

Underground Pricing


Exploit code for known flaw



Exploit code for unknown flaw



List of 5000 IP addresses of computers
infected with spyware / trojan for remote
control


Annual salary of a top
-
end skilled black hat
hacker working for spammers


List of 1000 working credit card numbers


Prices are set for each for each valid
credit card number both with and
without the 3 digit verification Security
Code




$100
-

$500

if no exploit code exists; Price
drops to $0 after exploit code is “public



$1000
-

$5000
; Buyers include Russian
Mafia, Chinese and French governments,
etc


$150
-

$500




$100K
-
$200K



$500
-

$5000
; Price has increased since
Operation Firewall (Oct 2004)


Prices are higher if there is other personal
information accompanying the CC#, such
as SSN, last residences, other credit history
information


20

© 2005 BearingPoint, Inc.

RealID


State & Local Implications

Associated Costs:


Estimated to cost states $750M for implementation
initiatives (includes $80M in expenses associated
with state database linkages)


House of Representatives approved grants offering
a total of $100M to states to assist states in
offsetting the costs associated with RealID
implementation


Challenges:


Sharing of driver’s license data across multiple
agencies in 50 states, territories, tribal jurisdictions
and the federal government


Reconfiguring existing databases, and determining
rules for access, management, and security


Ensuring the security of personal data

Complexity

Security Governance, IT and Physical Security Convergence, and Identity
Management are emerging as critical issues


23

© 2005 BearingPoint, Inc.

Security Governance: Blurring Lines


Typically drawn from
law enforcement or
military


Reports Administration,
Facilities, Human
Resources


Frames the issue as
protection of people,
facilities, operations


Values authority and
command


Contributes prevention
skill sets


Physical Security


Typically drawn from
technologist ranks


Reports to CIO or IT
Operations


Frames the issue as
availability, integrity,
confidentiality of
information and systems


Values creativity and
technology innovation


Contribution is
continuity and
availability of IT capacity

IT Security


Typically drawn from
financial community


Reports to Chief
Financial Officer or


Frames the issue as
“Risk Management”


Values financial
efficiency and loss
avoidance


Contribution is
quantitative rigor


Financial Security

24

© 2004 BearingPoint, Inc.

What Makes It So Difficult?


Action Passed / Action Completed


Low executive participation ensures low priority


Geek Speak


Moving security initiatives through the organization is not a
technology issue


Ready, Fire, Aim


Fuzzy IT asset inventory / assessment


Whack
-
A
-
Mole


Governance model = elaborate fire fighting


Garbage In / Garbage Out (GIGO)


Huge reporting challenge


Paving Cowpaths


Rework, manual processes, point
-
in
-
time assessments


Leaky Buckets


Real costs siphoned from other programs


25

© 2005 BearingPoint, Inc.

New, New Thing: Convergence

Enrollment

Adjudication

ID Management

ID Issuance

ID Production

Entitlements

Access

Authorization

Auditing

Other…

Smart Cards

Biometrics

PKI

IT Security

Physical Security

Personnel Security

Customer Security

Identity Management


26

© 2005 BearingPoint, Inc.

Complexity of Identity Management

Other Databases

Watch List

Automated Fingerprint
Identification System (AFIS)

3rd Party Identification
System

Background (BC)

1 to Many Biometric
Checks

Adjudication

Public Key
Infrastructure (PKI)

Sponsor

Pre
-
enroll

Enroll

IDMS

Credential Management
System

Credential
Personalization
System

Logistics /
Tracking

Inlays /
Cards

Chips

Passport Booklet
/ Card Delivery

Help

Background
Checks / NACs


27

© 2005 BearingPoint, Inc.

Civil

Corporate ID

Student ID

Fraud

Logistics

Identity
Management

Passport/VISA

Immigration

ePassport

eID

Law
Enforcement

Booking

Evidence Tracking

Fingerprint/Face ID

Corrections


State/Municipal

Mass Transit

Medical

Benefits

DMV

Border Control

GTM

Port Entry

Aviation

Shipping

Defense /
Intelligence

Uniform ID

Logistics

Watchlists

Threat DB



Public Sector Identity Management


In the U.S. Alone:


102,514 miles of borders (land and sea)


330,000,000 non
-
citizens crossing US
borders annually


361 seaports

7,500 foreign flag ships
annually


7,000,000 containers annually


19,000 airports

546 with commercial
service


17,000 aircraft simultaneously flying in
US airspace


600,000,000 commercial air travelers
annually


9,000,000 airline departures annually


102 nuclear power plants


30,000 municipalities and political
subdivisions


4,000,000 miles of roads


$54B in e
-
commerce annually


28

© 2005 BearingPoint, Inc.

Looking Forward


Administrative
Systems

1. Establish Strategy,


Goals, Measures

3. Set


Budget

4. Collect


Performance


Data

7. Update Goals

Security
Governance
Dashboard

Source Systems

Security

Budgeting

6. Manage to


Outcomes

Security

Portal

Leadership Team

5. Collect


Security


Data

2. Prioritize


Activities


Security

Document Repository


29

© 2005 BearingPoint, Inc.

Operations

Development

Auditing / Compliance

Assessment

Results

Agency
-
Wide Security
Program

Roadmap


Security Awareness


Capital Planning and
Investment


Certification and
Accreditation



Critical Operations


Integration with Critical Infrastructure

Incident Response Programs

Contingency Planning

Controls Review

Security Plans Up
-
to
-
Date

Risk Assessment

Testing/Evaluating
Security Controls

Security Control
Costs

Security Planning
Throughout SDLC

Governance


30

© 2005 BearingPoint, Inc.

Summary…

Security readiness is a marathon, not a sprint


Develop your security strategy and stay committed
to it over time


Security is 99% process and 1% technology


If you cannot operationalize security, all you have is
an “expensive” science project that will most likely
provide partial effectiveness


Security is a “cross
-
organizational” issue


Lack of organizational buy
-
in can kill a project.


Develop and maintain active executive
-
level
participation and governance


31

© 2005 BearingPoint, Inc.

Contact:

This document is protected under the copyright laws of the United States and other countries as an unpublished work. This doc
ume
nt contains information that is proprietary and
confidential to BearingPoint or its technical alliance partners, which shall not be disclosed outside or duplicated, used, or

di
sclosed in whole or in part for any purpose
other than to evaluate BearingPoint. Any use or disclosure in whole or in part of this information without the express writte
n p
ermission of BearingPoint is prohibited.

1676 International Drive

McLean, VA 22102
-
4828

www.bearingpoint.com

J.R. Reagan

Managing Director

Security & Identity Management Practice

Tel: +1.703.747.5724

Mobile: +1.571.238.1955

E
-
mail: jr.reagan@bearingpoint.com


32

© 2005 BearingPoint, Inc.