170 likes | 281 Views
Creating a Security Verified Label Standard. Patricia Joseph Joseph Consulting LLC. Agenda. Introduction The Threat is Real & increased trends in security breaches What is the security problem, if 80% of breaches are preventable? Need for security and the need for security Labels
E N D
Creating a Security Verified Label Standard Patricia JosephJoseph Consulting LLC
Agenda • Introduction • The Threat is Real & increased trends in security breaches • What is the security problem, if 80% of breaches are preventable? • Need for security and the need for security Labels • Putting it all together; The security verified standard Labels • Conclusion • Questions
Introduction • A standard of measurement is needed in the industry to allow consumers the ability to determine quickly if the software and hardware functionality they wish to implement has the ability to be secure within their network.
The Threat is Real • Increase in security Breaches: • The number of data breaches up 21% in 2006 and Quadrupled in 2007 • In 2008 47% increase over 2007 • In the past five years, approximately 500 million records containing personal identifying information of United States residents stored in government and corporate databases was either lost or stolen. • 80% of people have had their information stolen in the past five years at least once.
What are the gypsies after? • Everything • Credit card information • Health information • Marketing information • Personal Information • Your entire computer; CPU, Hardrive • Just about anything they can steel, aka The Gypsy Hacker
80% security Breaches preventable • In the case of a large discount store, mentioned in my abstract, wireless access was left completely open and unsecured. • In the case of a major health care industry, down for a month because of an XXS hacker message. • Major health association allowed major queries to the database exposing confidential information to the public • Simple fixes, Detrimental Impacts
Why are there a high number of breaches if 80% are preventable • How could we have a breach? We have a firewall • Main focus is on Functionality • Cost of Security • Education of Security • Chief Technical officer • Ignorance of the organization • Individuals in the organization may not be educated in security or aware of security patches and fixes
Need for Security • Do we need Security and security standards? • Of course
Known Security Standards • Example of Standards: • Application Wasp • Sox/PCI • 2700, NIST • IEEE • How do we put all of these standards together?
Standards Working Together Security Verified Label Standard implemented as both a • Software Standard • Organizational standard
Application layer Application layer standards Presentation layer Presentation layer standards Session layer Session layer standards T ransport layer Transport layer standards Netw ork layer Network Layer Standards Data link layer Data link layer standards Physical layer standard Ph ysical layer All Working together: Security Verified Label standards • Using the OSI model as our basis of organization, we can distinguish and set standards for each layer
Security Verified Label Standard • Software companies comply with set standards of how to make their software secure • Examples: • Web software: SSL Capable + instructional documentation • AIX containing documentation to harden OS
Security Verified Label Standard • Consumer has a simplified way of telling if software company has considered security through reading the package or product description. • Example:
Security Verified Label Standards: Benefits • Faster and easier way to tell through labels if the software you are buying has security capabilities. • Easy way to tell security for non-technical and non-security educated • Cheaper for organizations to implement this security standard • Easier for organizations to implement security through instructions given with software. • If the software claims it fits this standard it must come with implementation instructions • Responsibility lies on each part of the organization
Working Together: IT Organization • Each part of the organization is responsible for their own piece of security
Conclusion: Creating an Overall Standard • Security decisions need to be made easier, more cheaply for consumers • Using the OSI Model as our level by which to measure a level of security, a label can be given to the software stating at what level it has the potential to be secure. • This security verification standard would outline how the software and hardware would be considered secure. Each level according to the OSI model would contain it’s own set of standards. Once the software/ hardware passes the verification a label can appear next to the software. This will make decisions easier for consumers and essentially easier for upper management to understand.
Acknowledgements • http://www.wired.com/threatlevel/2009/11/cyber-attacks-preventable • http://www.theregister.co.uk/2008/01/02/data_breaches_skyrocket • http://www.identitytheft.info/breaches09.aspx • http://www.idtheftcenter.org/artman2/publish/m_press/2008_Data_Breach_Totals_Soar.shtml