Sheikh Nisar Ahmed, MSCL, Karachi, Pakistan
As identity theft reaches epidemic proportions, more organizations are launching projects to protect their information.
by Carol Hildebrand // photo by Syed Zargham
Once the province of solitary hackers,
identity fraud has moved into the big leagues with a vengeance—and organizations are responding with a slew of new projects aimed at stopping it.
“At the end of December last year, we saw that 40 million [U.S. residents] were affected by ID theft. Now, we anticipate that 72 to 75 million [U.S. residents] have been affected,” says Rosaleen Citron, CEO of WhiteHat Inc., a security consultancy in Burlington, Ontario, Canada.
Numbers like those are reflected around the world. According to Deloitte's 2006 Global Financial Services Industry Security Survey, 78 percent of the 31 financial institutions responding worldwide have experienced a breach in the last 12 months.
Identity theft is a booming business, with criminals paying $10 for each stolen name that includes a credit card number with the security code and a birth date. “It's not just hackers—today it's organized crime getting involved,” Ms. Citron says. “It's a big shopping mall out there for thieves.”
- Phishing: Thieves try to gain sensitive personal information through fraudulent e-mails or phone calls.
- Spyware: Malicious software installed on a computer without the owner's knowledge collects information, such as personal identification numbers for online banking accounts.
- Social engineering: Confidential information is obtained by exploiting a person's natural tendency to trust others.
This rising tide of theft has prompted a global array of regulations and legislation—such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States and BASEL II in Europe—designed to protect personal information. That, in turn, is prompting many organizations to launch identity protection projects designed to better safeguard data. In the Deloitte survey, 58 percent of the respondents listed identity theft and account fraud as one of their top five initiatives for 2006.
Harder Than It Seems
There's a gap between recognizing the need to protect information and actually doing so, however. Many organizations face significant challenges in their efforts to implement identity-management projects. Take, for example, the general reaction to the Homeland Security Presidential Directive 12 (HSPD 12), issued in August 2004 by U.S. President George W. Bush. The directive establishes a single, government-wide standard for identification credentials issued by the U.S. federal government to all its employees and contractors.
HSPD 12 is proving to be a tough sell in U.S. government agencies, says Bruce Brody, who was the chief information security officer (CISO) at the Department of Energy until January 2006. He is currently vice president of information security at INPUT, a market research firm based in Reston, Va., USA.
“HSPD 12 looks like a program management disaster waiting to happen, and that's too bad, because it's a very good idea,” he says. The problems are twofold. First, the directive is unfunded, meaning that agencies have to scramble to find room in their budgets for an expensive project. “At [the Department of] Energy, the CFO was very resistant to this project, because the price tag was in the neighborhood of $100 million over five years,” he says.
The business case, cost benefit and return on investment analyses couldn't be performed because the baseline requirements aren't spelled out in sufficient detail—for example, no biometric standard is defined. “Any good identity management program manager needs a handle on the risk factors associated with an implementation, and it's hard to do that when the requirements aren't stabilized,” Mr. Brody says.
Despite these challenges, companies worldwide are moving ahead with projects designed to mitigate identity fraud, and there are some basic best practices that will help maximize the chance of project success.
Organizations must start by understanding that identity management strategies go beyond software. Education and policy-development projects, for example, can prove just as important as technology initiatives. “Identity theft is not just about the technology. … Often, the security of information is compromised by human behavior,” according to the Deloitte survey.
“Encryption is a good method but it's not the only protection when an individual can call and get information through social engineering or other methods due to the lack of policies in place around this sort of breach,” says Barry Thompson, managing partner and founder of Thompson Consulting Group LLC, Oswego, N.Y., USA, a security practice focusing on banks.
Instituting behavioral policies against identity theft is a vital first step. “Specifically for identification theft, many companies are working on privacy-protection projects such as security policy development,” says Dave Fosdick, PMP, director of consulting and professional services at RSA Security, a provider of online-identity and digital-asset protection solutions in Bedford, Mass., USA.
watch thy partner
MULTINATIONAL COMPANIES or those working with global partners face a particularly intricate regulatory net when it comes to privacy protection projects.
“I've got one client that has to comply with PIPEDA [Personal Information Protection and Electronics Documents Act], the Gramm Leach Bliley Act, HIPAA, [Health Insurance Portability and Accountability Act], SOX [Sarbanes-Oxley Act], the Irish Protection Act and the Hong Kong Privacy Act,” says Tom Welch, Secure Enterprise Solutions. “It's really difficult. The key is provide a level of security that meets the most stringent guidelines.”
In these cases, privacy officers have to comply with a tangle of stringent regulations from around the globe—but also race to keep abreast of the ever-changing regulatory environment.
There's another wrinkle. Increasingly, companies are outsourcing corporate functions to offshore partners that may not maintain the same level of vigilance when it comes to protecting personal information. Although it may save the company money, it can mean increased vulnerability to both data breaches and legal liability.
Many Asia Pacific locales, including outsourcing giant India, lack adequate skills and competencies to ensure identity protection, according to 2006 Global Financial Services Industry Security Survey from consultants Deloitte. None of the survey respondents from Asia Pacific (excluding Japan) said that they have the required skills and competencies to respond effectively and efficiently. “Companies need to set clear expectations as far as putting security and privacy standards in place,” says Adel Melek, Deloitte. “Most of the breaches taking place across financial institutions come from indirect processors such as partners and vendors.”
Barry Thompson, Thompson Consulting Group LLC, would take it one step further. “Every company should reconsider the outsourcing of things like call centers overseas,” he says. “They're outsourcing to a less secure place as a result. Identity theft is one of the fastest growing crimes out there, and any company that has your personal information and is not protecting it is not worth doing business with.”
Doing so can have a direct impact on battling identity fraud, Ms. Citron says. Data aggregator ChoicePoint, for example, suffered a breach when thieves opened ChoicePoint accounts by pretending to be actual businesses. “The reason they were broken into is that they had no policy inside that said, ‘We need to check that this is a legitimate company before we give them access to our database,'” she says. “Companies need to create and implement polices that protect their data.”
PROJECT MANAGERS of identity-theft projects will depend on subject-matter experts such as chief information security officers to provide guidance and sponsorship. They also may want to check out a number of best practice methodologies. “For project managers, one of the first things on the list is to understand best practice standards,” says Tom Welch, Secure Enterprise Solutions.
One good place to start is the safeguard rule put in place to support the Gramm-Leach-Bliley (GLB) Act, says Paul Kurtz, Cyber Security Industry Alliance. “It contains all the key pieces that a company ought to put in place, including ensuring that there's a person responsible for information security, assessing risk and best practices around securing personal information.”
The GLB institutes privacy levels and requires financial institutions to develop a written information security plan.
Mr. Kurtz also recommends the ISO standards 17799 and 27001, which examine information security practices in far more detail than the GLB document.
“They're broken into logical domains such as physical and informational security and written in a way that a lay person can understand,” Mr. Welch says. “If you comply with the GLB safeguards or 17799, you will, in general, be in very good shape as far as complying with data security laws and other laws that bear upon information security.”
That's just the first step in creating a company-wide strategy around identity theft that follows data throughout its entire life cycle, says Adel Melek, global leader for the security and privacy services practice at Deloitte in Toronto, Ontario, Canada. “It's one thing to come up with policies and standards and another to institutionalize everything in the information life cycle,” he says. “It is, generally speaking, very early days in this area for many companies.”
Companies also should take a step back and find out where sensitive personal data lay throughout a company. Here, the first project to tackle is an audit of informational assets, says Tom Welch, president of Secure Enterprise Solutions, an IT security consultancy in Glenwood, N.J., USA. “Most of my clients don't know where their information is stored, so how can they protect it?” he asks. “You need to understand what you have and where it is stored on the infrastructure.”
Next, organizations should classify the data according to its sensitivity, then “you can more easily put in the proper controls around each level,” Mr. Fosdick says.
“By classifying data, you set the value or sensitivity of this information, thereby allowing you to apply the commensurate level of security based upon known threats,” Mr. Welch says. “It's a basic best practice to do a risk assessment and gap analysis like this.”
From there, companies can move to tactical protection projects.
Encrypt and Authenticate
When it comes to basic technology initiatives that can bear fruit, companies should look more closely at their authentication and encryption efforts, says Paul Kurtz, executive director of Cyber Security Industry Alliance, “Encryption needs much greater attention, whether it be in financial services, healthcare or government,” he says. “We need to get more serious about encrypting data at rest and in transit.”
The same goes for authentication efforts. This is particularly true in light of a recent mandate from the U.S. Federal Financial Institutions Examination Council stipulating that the nation's banks introduce multifactor authentication for “high-risk” Internet transactions by the end of 2006.
Yet, authentication efforts at many companies top out at asking for a mother's maiden name and instituting password protection. That's not enough, though. “We need to take authentication far more seriously than we have—well beyond password control,” Mr. Kurtz says.
Authentication was certainly a focus of the Citizen Registration Project in Pakistan, a massive, multiyear project designed to reduce fraud associated with the country's national ID program. The system uses fingerprints, a photograph, cornea mapping and face recognition to authenticate each card holder. By building in these layers of identification, the program can vastly reduce identity fraud, says Sheikh Nisar Ahmed, CEO and managing director of MSCL, Karachi, Pakistan. He has been heavily involved in the project since it was originally conceptualized.
“We do everything, and it's not easy,” he says. “But no single system is 100 percent accurate. If you have a thumb imprint capture that's not accurate, you can use face recognition, cornea snapshots, etc.”
Multifactor authentication techniques have cut down on card abuse. “If the person has fraudulently taken out more than one card, for example, the system will match the cornea and fingerprints and face recognition and will catch that person,” Mr. Ahmed says.
Building in Security
Identity-management processes and procedures work best when they're embedded in the organization's business processes. This means success depends on a company's ability to think of security and privacy issues during the earliest design phases of a project. “It's very hard to integrate security and privacy measures into an IT project after the fact,” Mr. Melek says. “It's not a bolt-on item.” From stronger authentication procedures in an e-banking application to specifying hardened servers for storing sensitive data, planning ahead can pay big dividends.
One way to ensure this happens is to include security people on the project team from its inception, Mr. Fosdick says. “Team construction is key. If you're doing data protection, you need to have the policy person, an encryption expert and a security architect on board to pull it together, as well as people that understand the regulations affecting your industry and how they should be implemented through technology,” he says.
The business side also should be represented as project sponsors or team members. “For so long, there has been a problem where senior management says, ‘This is an IT issue or a CISO issue,' and the business operators don't have a say. That's a mistake,” Mr. Kurtz says.
The Pakistan Citizen Registration project, for example, thrived when it had the prime minister as a sponsor—and was plunged into chaos when the government changed. It only became stable again when the new president of Pakistan agreed to assume sponsorship of the project. “The only way for us to succeed was through very strong sponsorship,” Mr. Ahmed says.
And finally, don't assume that your protection measures will work. Test them to find out. “Prior to going live with a new project, you need to give it a solid security assessment,” Mr. Melek says. He recommends:
- Penetration testing: The organization simulates a malicious attack to measure system security.
- Application security code review: A source code is examined for security vulnerabilities.
- Data integrity reviews: The organization checks that data is valid and accessible only to authorized individuals.
These procedures were once confined to Internet e-business and other applications that extended beyond the safety of the corporate security perimeter. As insider theft skyrockets, however, internal applications should be tested as well. “I've seen enough incidents to suggest that insider-type fraud is equaling that on the outside,” Mr. Melek says.
To be safe, organizations need to arm their informational fortresses both within and without. PM
It's not just hackers—today it's organized crime getting involved.
—Rosaleen Citron, WhiteHat Inc., Burlington, Ontario, Canada
Carol Hildebrand is a freelance writer based in Wellesley, Mass., USA. A former senior editor at CIO, she has appeared in Baseline, Darwin, Computerworld, Network World and other publications.
PM NETWORK | SEPTEMBER 2006 | WWW.PMI.ORG