Security : Or Lack Thereof

1
Security Or Lack Thereof

• Presented by
• David Lee and Blake Robinson

2
Background

• As databases exist confidential data, medical
  records, employee information, and personal
  information is all to vulnerable to threats.
• What kind of threats?

3
Threats

• External
• Hackers breaking in a company and stealing
  valuable information on customers, information
  such as credit cards, addresses, and phone
  numbers.
• Internal
• An angered employee steals confidential
  information on management and spreads it
  throughout the company.
• Physical
• Thieves steal sophisticated hardware containing
  valuable information from major public companies.
• Does this stuff really happen?

4
Facts

• According to recent survey of 750 U.S. database
  developers conducted by market research firm
  Evans Data Corporation
• 1 in 10 U.S. companies surveyedexperienced a
  database breach
• 25 of the reported breacheswere in the
  financial sector
• 18 were in thetelecom healthcare industries
• Whats going on about this?

5
Governments Intervention

• The European Union (EU) has set rigorous privacy
  standards for every company doing business within
  EU countries
• A de facto standard for cryptographic processing,
  the Federal Information Processing Standard
  (FIPS-140) requires that encryption keys be
  stored in a FIPS-validated device and never be
  available in the clear
• In the U.S., the Gramm-Leach-Bliley (GLB) Act
  requires companies to observe stringent security
  and privacy practices
• VISA has established the Cardholder Information
  Security Program (CISP), mandating that merchants
  use encryption hardware to protect credit card
  information
• Continued.

6
Governments Intervention (Cont)

• Within the healthcare market, the Health
  Insurance Portability and Accountability Act
  (HIPAA) reinforces the protection of personal
  healthcare information
• In January 2002, KPMG released a white paper
  entitled Key Management Policy and Practices
  Framework that examined the need for better
  cryptographic key management policies in order to
  develop and design secure computer networks and
  e-commerce services that adhere to best practice
  security measures.
• What can we do about it?

7
Consumer Intervention

• Protect data from external and internal security
  threats by making data visible only to those with
  the proper cryptographic key
• Safeguard the corporate reputation by ensuring
  that confidential
• information is protected from unauthorized use
  and abuse
• Protect data in the event of a physical security
  breach where a database server is stolen
• Improve security controls by instituting
  role-based access control over sensitive data,
  limiting access to authorized users
• Continued.

8
Consumer Intervention (Cont)

• Achieve compliance with new data protection
  legislation such as HIPAA and GLB and new
  standards set by the EU and others
• Meet due care obligations to protect information
  assets with security best practices from VISA,
  MasterCard, Identrus, KPMG, and others.
• Provide for the separation of database
  administration and security administration duties
  as called for in current and pending privacy
  legislation.
•  
• How does all this affect you?

9
Credit Cards

• When you use a credit card over the internet, do
  you know what happens?
• Credit card numbers are encrypted when passing
  from consumer and decrypted when received by the
  merchant. This is great, but what does the
  merchant/business do with your credit card
  information?

10
Resources

• http//www.ncipher.com/insights/databases.html
• Security Insights Databases
• http//databases.about.com/library/weekly/aa121500
  a.htm
• Database Insecurity Is your credit card safe?
• http//databases.about.com/gi/dynamic/offsite.htm?
  sitehttp//www.pc2Dradio.com/maxus.htm
• Maxus