Welcome!

Virtualization Authors: Liz McMillan, Gilad Parann-Nissany, RealWire News Distribution, Archie Hendryx, Peter Silva

Related Topics: Virtualization

Virtualization: Article

Identity Theft: More Than A Stolen Wallet

Maintaining trust is the first thing to remember
By John Worrall
Article Rating:
May 6, 2004 12:00 AM EDT
Reads:
 15,945

As the role of IT administrators continues to expand, it is imperative that companies not lose sight of their core responsibilities: managing and protecting corporate data. This responsibility is becoming increasingly important in the enterprise due to the staggering rise in identity theft around the globe.

A recent report from the Federal Trade Commission (FTC) found that identity theft has achieved the dubious honor of being the most common form of fraud, accounting for 43% of all complaints.

And as more and more corporate and personal information becomes accessible online, that number is increasing. In fact, the FTC reports that identity theft incidents increased 73% from 2001 to 2002.

For a long time, privacy and other forms of e-security have taken a back seat in the enterprise to pressing business issues that consume the attention of both senior management and IT staff alike. It has been common practice to put off thinking about security until the "unthinkable" occurs - a breach. Obviously, that's too late. With this passive approach, companies may be jeopardizing their customers' privacy.

Consider these cases, which have been previously reported in the media:

  • The largest identity theft case in history was announced last fall, with total losses estimated at $2.7 million. In this case, investigators arrested a help desk employee of a third-party credit agency who was able to access confidential information about the company's corporate clients.
  • A break-in at a health insurance management company resulted in the theft of a file server containing health care information, including some credit card data, from thousands of U.S. military personnel.
Identity theft in and of itself is a broad category, with incidents ranging from petty theft of a single person's identity all the way up to the million-dollar scams described above. But the root cause is the same - the theft of personal information that can be used to obtain credit in another person's name, including bank/credit card numbers, driver's license numbers, social security numbers or even personal information as seemingly harmless as a birthday or mother's maiden name.

But who should take responsibility for protecting people against identity theft? The responsibility has to come from both individuals and organizations holding sensitive data. It's not an either/or situation. For both parties it's largely a matter of awareness. Individuals need to recognize just how easy it is for someone to use their personal information to commit fraud; and organizations need to recognize that it is a privilege to have access to the personal information of employees and customers.

Many organizations don't realize how much sensitive information they carry on their servers and storage devices. Virtually every organization has personal information about its employees that could be used for fraud. Organizations that keep personal information about their customers have an added burden to protect that information. These organizations cut across nearly every industry - from health care organizations to financial institutions to government entities to online consumer sites.

It is important for companies to recognize that identity thieves are less likely to be nameless, faceless hackers than they are to be employees or partners of the company owning the database. This calls for extra time spent ensuring that users of the database have appropriate levels of authentication and access control. Any organization managing identities and customer information is vulnerable to identity theft, and needs to be vigilant about securing that information.

How can organizations prevent/limit identity thefts? First, companies need to determine where the sensitive information exists within their organizations. This is easier said than done because the information could reside on myriad servers and storage systems. You can't protect what you don't know about. Second, companies need to get a true understanding of where and how the information is used to conduct business. Who is it sent to? Under what circumstances is it sent? How is it sent? Who is authorized to access the information in the first place? Where does it come from? Only then can they begin to understand the various points of vulnerability and address them.

Once these first two steps are complete, companies must ensure the systems in place are tamper-proof - making sure information "at rest" is encrypted. This means properly authenticating users (who gets in), monitoring access of the users (where they can go once inside the system), and monitoring the "perimeter" for intrusion attempts. If this is not done properly, identity information can be compromised and the trust of all identities in the system is called into question. A well-managed system for protecting against identity theft includes the following:

  1. Properly vetting individuals to assure that the personal information they provide is truly theirs
  2. Providing credentials to users accessing the information and providing them with authentication methods to ensure that someone can't access the information using false credentials
  3. Implementing the appropriate technologies that allow administrators to access the data they need to effectively perform their jobs, while implementing policies and safeguards that prevent those same administrators from misusing the information
  4. Establishing a solid credential-maintenance program - i.e., updating credentials and privileges on a regular basis
  5. Quickly revoking credentials and privileges of those who should no longer have access
On the technology front, businesses must move beyond the use of basic passwords for signing onto systems. Technologies that exist today, like two-factor authentication and smart cards, and those that are on the horizon, such as mass-market biometrics, are no longer the exception to the rule. They must become the standard.

No one can diminish the importance of ensuring an employee's computer is up and running, or up-to-date with the latest virus patches. But without working to protect the identities of employees, customers and partners, the loss that could be absorbed by an organization could be immeasurable. If proprietary information is compromised, the trust of the entire organization can be lost, not to mention the loss in actual dollars a security breach could cost a company.

Published May 6, 2004 – Reads 15,945
Copyright © 2004 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By John Worrall

John Worrall is vice president of worldwide marketing for RSA Security Inc.

Comments (5) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
Free Credit Report Guy 06/20/07 02:06:47 PM EDT

If you have been a victim of identity theft, you will know that it's a hassle! I feel the easiest way people "leak" their information to crooks is in the mail. After that it's getting phished online. If everyone get's educated about these two areas and be proactively on guard, ID theft would be a much, much smaller problem than it is today.

Dave D.

http://creditreport.meibz.com
Kim Lee 09/07/04 05:07:51 PM EDT

Check with Scott Shnell's replacement at RSA. Chad Salinas contact info for prospects that declined to purchase; Joint RSA client implementations. Chad Salinas vendor references; What other 2-factor authentication schemas has the bank worked with? See Chad Salinas implementation at Morgan Stanley. Chad Salinas personal/ professional references; Chad Salinas Competitors by service offering; Chad Salinas relevant articles about company or industry; Chad Salinas What sort of recurring revenue is generated by these projects. Chad Salinas Status the biometric company regarding their use of RSA technology. Chad Salinas What Form Factor is congruent with what target market is using today? Chad Salinas What impediments are there to locking credit reports? Chad Salinas Can you find a recent 2-factor rollout for a major financial services firm where the senior technical guy understood the business justification? Chad Salinas Who was the internal project champion? Chad Salinas Did anyone do any followup with the project's stakeholders. Chad Salinas
rachel 05/13/04 09:08:24 AM EDT

I honestly belive that identity theft is one of the shallowest new- age crimes in america. for all you out there who perform identity theft,i hope you realize how many lives and families are destroyed by debt and loss of money.
Joe Bentson 05/10/04 12:24:26 AM EDT

He makes a very important point. Two many IT departments are puting all their security efforts on the OUTSIDE to prevent thieves from getting in, however the MOST DANGEROUS thieves are already on the inside as employees !!!

At least 40% of ID Theft victims KNOW the criminals who are using their ID. Almost 10% are FAMILY members.

Thus, with USB stoage devices about the size of a lighter or smaller, we need to do initial and continued backbround checka on those handling the assets from the INSIDE.

Articles seldom talk about thieves who use ID''s when caught for a crime, then walk away on bond/ Then the real person, the victim of ID theft is arressted when the crimional does NOT appear in court. It''s much more expensive, because in many cases they have to post a VERY HIGH bond as a bail jumper and also hire a lawyer to defend them selves !!!

Best wishes,
Joe
www.JoeB.ICouldBeYou.com
Yan Ross 05/07/04 04:32:36 PM EDT

Great observation about the vulnerabilities and potential liabilities involving identity-related information held by businesses. Let me add a few more:

-- The company whose information security is breached incurs liability for financial and other damages to the victim.

-- Such liability may prevent the comapny from receiving a "clean audit" by its accounting firm.

-- Errors and Omissions [E&O] and Director and Officer [D&O] insurance may not cover such losses.

From the consumer/client/customer''s side, a comprehensive protection plan covering access to credit report and FICO score, continuous credit report monitoring, immediate e-mail notification, restoration service, and expense reimbursement can be accessed at www.yanross.us