Creating a Security Verified Label Standard Patricia Joseph Joseph Consulting LLC

Agenda  Introduction  The Threat is Real & increased trends in security breaches  What is the security problem, if 80% of breaches are preventable?  Need for security and the need for security Labels  Putting it all together; The security verified standard Labels  Conclusion  Questions

Introduction  A standard of measurement is needed in the industry to allow consumers the ability to determine quickly if the software and hardware functionality they wish to implement has the ability to be secure within their network.

The Threat is Real  Increase in security Breaches:  The number of data breaches up 21% in 2006 and Quadrupled in 2007  In % increase over 2007  In the past five years, approximately 500 million records containing personal identifying information of United States residents stored in government and corporate databases was either lost or stolen.  80% of people have had their information stolen in the past five years at least once.

What are the gypsies after?  Everything  Credit card information  Health information  Marketing information  Personal Information  Your entire computer; CPU, Hardrive  Just about anything they can steel, aka The Gypsy Hacker

80% security Breaches preventable  In the case of a large discount store, mentioned in my abstract, wireless access was left completely open and unsecured.  In the case of a major health care industry, down for a month because of an XXS hacker message.  Major health association allowed major queries to the database exposing confidential information to the public  Simple fixes, Detrimental Impacts

Why are there a high number of breaches if 80% are preventable  How could we have a breach? We have a firewall  Main focus is on Functionality  Cost of Security Education of Security Chief Technical officer  Ignorance of the organization Individuals in the organization may not be educated in security or aware of security patches and fixes

Need for Security  Do we need Security and security standards?  Of course

Known Security Standards  Example of Standards:  Application Wasp  Sox/PCI  2700, NIST  IEEE  How do we put all of these standards together?

Standards Working Together Security Verified Label Standard implemented as both a 1. Software Standard 2. Organizational standard

All Working together: Security Verified Label standards  Using the OSI model as our basis of organization, we can distinguish and set standards for each layer Application layer Presentation layer Session layer Transport layer Net w ork layer Data link layer Physical layer Application layer standards Presentation layer standards Session layer standards Transport layer standards Network Layer Standards Data link layer standards Physical layer standard

Security Verified Label Standard 1. Software companies comply with set standards of how to make their software secure  Examples: Web software: SSL Capable + instructional documentation AIX containing documentation to harden OS

Security Verified Label Standard 1. Consumer has a simplified way of telling if software company has considered security through reading the package or product description.  Example: Unix Software Physical Level Secure capable Datalink Level Secure capable Network level Secure capable Web Software Application Level secure capable Session Level secure capable

Security Verified Label Standards: Benefits  Faster and easier way to tell through labels if the software you are buying has security capabilities.  Easy way to tell security for non-technical and non-security educated  Cheaper for organizations to implement this security standard  Easier for organizations to implement security through instructions given with software. If the software claims it fits this standard it must come with implementation instructions  Responsibility lies on each part of the organization

Working Together: IT Organization  Each part of the organization is responsible for their own piece of security Database Administrator MiddleWare Administrator Network Administrator Unix or Windows Admin Application Developer

Conclusion: Creating an Overall Standard  Security decisions need to be made easier, more cheaply for consumers  Using the OSI Model as our level by which to measure a level of security, a label can be given to the software stating at what level it has the potential to be secure.  This security verification standard would outline how the software and hardware would be considered secure. Each level according to the OSI model would contain it’s own set of standards. Once the software/ hardware passes the verification a label can appear next to the software. This will make decisions easier for consumers and essentially easier for upper management to understand.

Acknowledgements  preventable preventable  rocket rocket   _Data_Breach_Totals_Soar.shtml