PS2009 — Justin Somaini, Symantec

February 3, 2009

Feb 3rd, 1:30pm
Live blog post…

Justin Somaini’s talk was on information security in turbulent times:
– 70 percent of malware is targeting sensitive information
– 10,000 to 20,000 virus signatures created each DAY (up from 1,000 per week only 4 years ago…)

Threats are increasing. With security budgets likely to drop during the recession, can we find other ways to educate and motivate employees and executives?

The image of information security people is negative, making communication difficult.between IT and business. What is needed is a strong 2-way conversation to improve relationships. Mr. Somaini’s experience is that the relationsip is key to gaining trust between the two groups. In Symantec, he has observed a significant increase in the reporting of security incidents immediately after collaborative visits with business users.

The point of the talk is that fear can’t be used to change behavior — information sharing and relationship building are the keys.  Less policing, more discussion…


PS2009 — Telus/Rotman IT Security Study

February 3, 2009

Feb 3rd, 10:10am
Live blog post…

Alan LeFort from Telus presented on this Canadian IT security practices survey and study:
– 60 percent of Gov’t don’t enforce their security strategy
– 4 percent of Gov’t orgs reported financial data loss
– 1 in 11 have lost confidential data
– private organizations almost 3 times more likely than Gov’t to communicate security issues with stakeholders
– IT security investments directly impact (reduce) security incident reports
– Gov’t strong in network security, weak in application security (e.g. lack of strong authentication)
– breach costs average 23 percent higher in Canada vs US
– private sector paying 35 to 40 percent higher salaries for security staff

The 2009 study will target 800 respondants (up from 306 in ’08). Currently looking for input to survey design — Google ‘Rotman Telus Security Survey’ to find site.


10th Annual Privacy and Security Conference

February 3, 2009

I’m back in Victoria, British Columbia this week for what is becoming an annual event for me — the Privacy and Security Conference sponsored by the BC Government.  I like this conference because it has a public-sector flavour to it; the speakers and attendees see the same challenges in their work as I do.

The plan is to produce a post or two each day but we’ll see how it goes…


The Banks Respond

January 26, 2009

Computer-Internet SecurityAs a followup to my post last week on strong authentication, I sent an email to each of the Big 5 Canadian banks.  I was curious as to what options there were for obtaining some type of multi-factor authentication solution.

My question was: “I’m considering opening an account with your bank, and I would like to use features such as bill payment and funds transfers using web banking.  However, a password protected web banking site does not provide the same protection as strong (2-factor) authentication.  Is your bank looking at strong authentication options as a potential future enhancement to web banking?”

(The responses have been anonymized, but are otherwise verbatim.)

Bank 1 Response:

In regards to strong two factor authentication, we use three factors: the 13-digit Access Card number, the 5 to 8 alphanumeric password and the question and answer challenges previously registered with our site.

Please be assured that our web banking is a fully secure site, and your account information is protected by a number of different security protocols.

Bank 1 also provided links to FAQs, their reimbursement guarantee and descriptions of site security features (e.g. encryption, monitoring, etc.)  Note their use of the phrase ‘fully secure’.

Bank 2 Response

We are currently in the process of introducing a new service as an added enhancement to our online security.  This is a variation on two factor authentication, which in combination with our online guarantee, provides protection that exceeds industry standard.

The new service prompts for five secret questions and answers.  It then needs to know if you are on a computer that you regularly use.  If you say ‘yes’, it grabs a ‘unique identifier’ for that computer.  You can specify more than one PC.  If you login from somewhere other than your identified computers, it prompts you for the answer to one of your previously supplied questions.

Bank 2 also provided a link to other security measures and to their qualified guarantee.

Bank 3 Response

… furthering our commitment to protect your accounts from unauthorized access and fraud, an enhanced login to web banking has been introduced. These enhancements include multi factor authentication questions that add an additional level of protection, ensuring that your accounts cannot be accessed by an unauthorized third party.

All customers are now required to enrol in the enhanced login.

As with the others, Bank 3 provides a guarantee and links to other security measures.


Well, it is clear that the representatives from these three banks do not understand strong authentication.

In each case, they have indicated that adding a second ‘something you know’ to the authentication process is a meaningful improvement.  While this is better than a password alone, it does not address the issue of losing control of one’s bank account with the escape of shared secrets.  Only by selecting two different factors (e.g. something you know — a password — and something you possess — perhaps a fob) can  the authentication strength be significantly increased.  This is standard knowledge in our industry…

Two of the three did indicate that monitoring was part of their security solutions.  Intrusion dection systems certainly can detect fraud when transactions occur outside the user’s normal spending patterns.  While on vacation a few years ago, I found that my credit card didn’t work — the company had blocked it when I started using it in a different country.  This was outside my normal pattern of use.  I assume that banks have similar setups with web banking transactions, but I’m a bit skeptical as to how well they would work.

For example, would monitoring prevent an external account being setup to transfer funds?  That is something I have done in the past, and I do regularly move money between accounts using web banking.  How would a monitoring solution know it was me vs someone who just knew my password and/or secrets?

But the most bothersome thing for me is the ‘guarantee’.  While there are a number of qualifiers to these guarantees, it is clear that the bank is going to refund your money if you are phished/hacked.  But… where does that money come from?  Well, directly from the bank’s customers in the form of increased borrowing costs, credit card fees and account service fees…

Implementing stronger security, such as that offered by strong, multi-factor authentication, is likely a more cost effective and efficient way of dealing with the issue of unauthorized online bank account access.  And isn’t this what all banks require for their physical-world bank machines today — that is, don’t we have to provide a PIN (something we know) along with a bank card (something we possess) in order to access our money?  A strange contradiction, one that is worth questioning as we move more and more of our personal business onto the Internet…


Identity Assurance — Trust Levels

November 30, 2008

3rd in a series [ <- previous ] [ <- first ]

The second part of the Assurance Component of the Pan-Canadian Assurance Model to discuss are Transaction Assurance Levels, or more simply, Trust Levels.

Trust Levels are defined in the pan-Canadian IdM&A Framework as ‘a pre-established statement of the level of certainty that is needed to access information or conduct a transaction.’  They are directly linked to the Information Classification.

The model establishes four trust levels:

1. No Trust — Anonymous Transaction.  Used with information that is unclassified (e.g. published information).

2. Low Trust — Routine Transaction.  Used for protection of systems containing basic information, i.e. information with a Security Classification of Low.

3. Medium Trust — Verified Transaction.  Used with systems that need to protect confidential data, such as some medical records, tax information, identity information, etc.

4. High Trust — Corroborated Transaction.  The highest level of trust; required for protecting information classified as High (e.g. cabinet documents, criminal trial information, etc.)

It is important to note that the ‘transaction’ referred to in this discussion is the business transaction that will be supported by the identity and access management system.  For example, medium trust is needed by business transactions that needs to be verified (due to the sensitivity of the information being protected).

In Practice:

Trust Levels allow for a clear description of what we need to establish before we allow access to an application or information set.  On the surface, the Trust Levels differ little from the Security Classifications, but the exercise in assessing trust and assigning a Trust Level is important.  It forces the business to ask some key questions: How much do I need to do before allowing access to this information?  Have I classified the information correctly and is it reflected the Trust Level?

As can be seen from these questions, the word ‘trust’ forces the business to look at the Security Classifications in a somewhat different light.  That allows for better conversations around what the value of the information is and what an appropriate access solution might look like.

Next: Registration Process.

Canadian Bar Association, Privacy Section

November 27, 2008

The Canadian Bar Association / L'Assocation du Barreau canadien

I had the pleasure today to present to an attentive and curious group of privacy lawyers at the Canadian Bar Association.  The presentation was a rapid fire slide deck titled Identity Management: Drivers, Challenges and Opportunities; click here to view.

Many thanks to Jane Steblecki from Field Law for the opportunity.


Canadian IT Security Stats

November 10, 2008


The 2008 Rotman-TELUS Joint Study on Canadian IT Security Practices is a must-read for anyone involved with identity, security or privacy in Canada.  

There were 300 participants, including responses from private companies, publicly traded corporations and government/not-for-profit organizations.  The survey results are primarily broken down into these categories, so I’ll summarize some noteworthy numbers for Government organizations:

  • 16 — percentage of organizations that have experienced a breach due to misuse of a public web application.
  • 26 — percentage of respondents that are planning to invest in Identity Management in the next 12 months (tied for second highest priority, behind storage encryption).
  • 39 — percentage of organizations that perform risk assessment annually.
  • 55 — percentage that indicated they have experienced a breach due to virus, worms, malware, etc.
  • 65 — percentage of organizations that allow outsourcing of IT security.
  • 66 — percentage of security groups that report to an IT executive (as opposed to CEO, Risk Management or other line-of-business executive).
  • 68 — percentage that indicated litigation as a ‘breach concern’.
  • 321,429 — amount, in dollars, the average breach is estimated to cost a government organization.
  • Zero — percentage of respondents that reported they have lost proprietary information due to a breach.

(For some interesting statistics from the Calgary Critical Infrastructure conference, click here.)