Failures of Information Security: Observing the World and Asking Why

By Adam Shostack and Andrew Stewart, Addison-Wesley Professional |  Security, data breach, information security

The desire to commit fraud is an important part of the rapidly growing and widely misunderstood crime known as identify theft. Before we can discuss it, we need to describe identification, authentication, and authorization. These three concepts are often confused. Identification concerns the labels we provide for things. Much like The New School of Information Security identifies a book, “John Wilson” identifies a person. We use other identifiers to identify people, such as “Dad.” Dad is not a unique identifier, but most people are pretty sure whom they mean when they say it. A bank with eight customers named John Wilson needs to be able to differentiate between them. Anyone can claim to be John Wilson, so how can we tell if he really is? The answer lies in authentication to figure out which John Wilson is authorized to take money from account number 1234.

You may plan to have coffee with John, and he might tell you that he is tall, bald, and is wearing a green shirt today. Those are authenticators. They help you recognize John at the coffee shop. But if you’re a bank, you want to make sure that John is authorized to withdraw money, so you might check his signature, password, or PIN. Identification and authorization are tricky. Too many organizations believe that anyone who knows your social security number (SSN) is you.

The same information about us is stored repeatedly, by different organizations and in different places. Tremendous duplication occurs, and many organizations continue to design processes that depend on these little pieces of data. The problem is that many of these identifying fragments were never designed for the ways in which they are being used. The SSN was not designed to be secret, and yet it is widely believed to be secret and often is treated as such. The result is that SSNs are used as both an identifier and an authenticator. We are told it is important not to hand out our SSN willy-nilly, but at the same time, everyone demands it.

If something is valuable, it should be protected, and we should give our personal information to only trustworthy organizations that really need it. Unfortunately, most organizations seem to think that they are trustworthy and that they must have our personal information. Landlords, utility and insurance companies, employers, hospitals, governments, and many others all profess to be completely trustworthy. It’s likely that these organizations, storing the most personal information imaginable, will authorize hundreds of thousands of other completely “trustworthy” people at a variety of organizations to see it, increasing the possibility that it will become compromised.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness