security and privacy: panel of perspectives rick skeel university of oklahoma
TRANSCRIPT
Security and Privacy: Panel of Perspectives
Rick Skeel
University of Oklahoma
Where Are We Most Vulnerable To Security Issues?
Integrity of the record
Privacy of the record
At sending and receiving points
How it can and does happen ...
– Destruction, Alteration, Disclosure of Data
65% Carelessness, Honest Mistakes
19% Disgruntled Employees
13% Physical Damage
3% From Outside - Hackers
Source: “Session 8.1 Security and Acknowledgement” by Jeanenne Rothenberger, SPEEDE Workshop, Baltimore MD, October 18-20, 1992
How it can and does happen (cont’d) ...
“Globally, 79% of participants in 12 countries said that a breach in their e-commerce system would most likely be perpetrated through the Internet or other external access. It is well documented, however, that the greatest risk is from internal perpetrators – such as disgruntled or former employees or external service providers who have an established relationship with the company – who may commit the breach, or may supply the information necessary to do so to someone else.”
Source: KPMG Survey, as reported by Antoinette Panton, KPMG, March 2001 Press Release “Companies underestimate internal threat, says KPMG”
So you see ...
For sending and receiving data, the more serious security risks are within our own offices - not in transit
Can be overcome with ...– Office policies and procedures
– Controlled access to sensitive information
– Audit mechanisms
– User training and education
– User documentation and support
EDI – One Approach For Security
Fewer Paper Handlers
Eliminate U.S. Mail
Require a more Sophisticated Tamperer
Acknowledgment and Receipt
Easier Tracking for Sender and Receiver
Security … EDI-style Transcript Exchange
Control counts built into data … integrity– transaction set, functional group, interchange
Unique identifiers for trading partners … authentication
Acknowledgements … non-repudiation, integrity
Encryption … confidentiality– Can choose to add or not– Works better in small, closed system– Large effort to counter smallest risk (remember the 3%?)
Are signatures still relevant?
Outside our own jurisdiction, who recognizes and/or verifies?– e.g. banks & checks (cheques )
General acceptance of new paradigm without signature– Credit cards, debit cards
“Acceptance” of “implied confirmation”– Computer software (“By breaking this seal, you accept…”)– Check boxes (“I agree…”)
Digital signatures– Link you to the computer, not necessarily the person– Carry the same notion of intentionintention as hand-written signature?– http://www.schneier.com/crypto-gram-0011.html
Identity Theft – The Newest Threat
Serious issue or just in the news?
Use of the SSN on campus
– Who really needs access?
– Who wants access?
– Who gets access?
ID number on student & faculty/staff cards