UOCAVA Report Overview and Status July 2008 Andrew Regenscheid Computer Security Division National Institute of Standards and Technology.

Slides:



Advertisements
Similar presentations
IEEE P1622 Meeting, Oct 2011 IEEE P1622 Meeting October 24-25, 2011 Overview of IEEE P1622 Draft Standard for Electronic Distribution of Blank Ballots.
Advertisements

Security Controls – What Works
Information Security Policies and Standards
FIT3105 Security and Identity Management Lecture 1.
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
TGDC Meeting, December 2011 Andrew Regenscheid National Institute of Standards and Technology Update on UOCAVA Risk Assessment by.
TGDC Meeting, Jan 2011 UOCAVA Pilot Projects for the 2012 Federal Election Report from the UOCAVA Working Group Andrew Regenscheid National Institute of.
TGDC Meeting, July 2011 Overview of July TGDC Meeting Belinda L. Collins, Ph.D. Senior Advisor, Voting Standards, ITL
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
TRACs Security Awareness FY2009 Office of Information Technology Security 1.
Securing Information Systems
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
United States Election Assistance Commission EAC UOCAVA Documents: Status &Update EAC Technical Guidelines Development Committee Meeting (TGDC)
Confidentiality Integrity Accountability Communications Data Hardware Software Next.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Computer & Network Security
12/9-10/2009 TGDC Meeting NIST Research on UOCAVA Voting Andrew Regenscheid National Institute of Standards and Technology
Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.
ECE Lecture 1 Security Services.
UOCAVA Voting in Four States A Study of Election Administration.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
TGDC Meeting, Jan 2011 Accessibility and Usability Considerations for UOCAVA Remote Electronic Voting Systems Sharon Laskowski, PhD National Institute.
Note1 (Admi1) Overview of administering security.
Privacy, Confidentiality, and Security Component 2/Unit 8c.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
TGDC Meeting, July 2010 Security Considerations for Remote Electronic UOCAVA Voting Andrew Regenscheid National Institute of Standards and Technology
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,
Scott Charney Cybercrime and Risk Management PwC.
TGDC Meeting, July 2010 Report of the UOCAVA Working Group John Wack National Institute of Standards and Technology DRAFT.
Internet Voting Ashok CS 395T. What is “E-voting” Thomas Edison received US patent number 90,646 for an electrographic vote recorder in Specific.
NIST Voting Program Page 1 NIST Voting Program Lynne Rosenthal National Institute of Standards and Technology
Chap1: Is there a Security Problem in Computing?.
TGDC Meeting, Jan 2011 Help America Vote Act (HAVA) Roadmap Nelson Hastings National Institute of Standards and Technology
TGDC Meeting, Jan 2011 Review of UOCAVA Roadmap Nelson Hastings National Institute of Standards and Technology
Protecting Yourself from Fraud including Identity Theft Personal Finance.
Jump to first page Internet Security in Perspective Yong Cao December 2000.
Computer threats, Attacks and Assets upasana pandit T.E comp.
CPT 123 Internet Skills Class Notes Internet Security Session B.
Lecture1.1(Chapter 1) Prepared by Dr. Lamiaa M. Elshenawy 1.
TGDC Meeting, Jan 2011 Development of High Level Guidelines for UOCAVA voting systems Andrew Regenscheid National Institute of Standards and Technology.
TGDC Meeting, Jan 2011 Path Forward for FY11 UOCAVA Activities Nelson Hastings National Institute of Standards and Technology
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
TGDC Meeting, Jan 2011 Report from Workshop on UOCAVA Remote Voting Systems Nelson Hastings National Institute of Standards and Technology
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
LESSON 12 Business Internet. Electronic business, or e-business, is the application of information and communication technologies (ICT) in support of.
TGDC Meeting, Jan 2011 UOCAVA Pilot Projects for the 2012 Federal Election Report from the UOCAVA Working Group Andrew Regenscheid National Institute of.
INFORMATION SYSTEMS SECURITY AND CONTROL.
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Cyber Issues Facing Medical Practice Managers
INFORMATION SYSTEMS SECURITY and CONTROL
Module 4 System and Application Security
Presentation transcript:

UOCAVA Report Overview and Status July 2008 Andrew Regenscheid Computer Security Division National Institute of Standards and Technology

6/17/2008 Page 2 Introduction Research use of technology in absentee voting for military and overseas citizens Identify options for further study Risk analysis of voting methods Recommend security controls

6/17/2008 Page 3 Contents Overview of UOCAVA Report Security needs and Transmission Options Risk Analysis Methodology Next Steps

6/17/2008 Page 4 UOCAVA Report Continuing research Begun drafting report

6/17/2008 Page 5 Overview of UOCAVA voting Report looks at using different technologies for all aspects of UOCAVA voting Splits voting process into three stages Voter Registration/Ballot Request Ballot Delivery Ballot Return Identifies information types handled in each stage

6/17/2008 Page 6 Security Impacts Three security objectives Confidentiality Integrity Availability Impacts for each objective defined by: Low: Loss will have a limited adverse effect Moderate: Loss will have a serious adverse effect High: Loss will have a severe or catastrophic adverse effect

6/17/2008 Page 7 Registration/Request - 1 Registration Must verify voter’s identity Determine place of residency Exchange/provide authentication information. e.g. voter signature, PIN, cryptographic keys Ballot Request Must authenticate voter Provide address to send physical or electronic ballot

6/17/2008 Page 8 Registration/Request - 2 Information Types: Voter name, residency information, mailing address Voter authenticator (e.g. signature, PIN) Identifiers (e.g. license and/or passport numbers) Security Impact: Confidentiality: Moderate Integrity: Moderate Availability: Moderate

6/17/2008 Page 9 Registration/Request -3 Transmission Options: Postal Mail: Delivery times, interception Telephone: Confidentiality, Authentication Fax: Confidentiality Confidentiality, Authentication Web-based: Authentication, Phishing

6/17/2008 Page 10 Ballot Delivery - 1 Distribute blank ballots to voters Voter authentication not necessary Must be done after contests are finalized and ballots prepared

6/17/2008 Page 11 Ballot Delivery - 2 Information Types: Voter name, address(es) Contests (i.e. the ballot) Possible ballot tracking identifiers Security Impact: Confidentiality: Low Integrity: High Availability: High

6/17/2008 Page 12 Ballot Delivery - 3 Transmission Options: Postal Mail: Delivery times, Integrity Fax: Ballot accounting Integrity, Ballot accounting Web-based: Integrity, Ballot accounting

6/17/2008 Page 13 Ballot Return - 1 Returning marked ballots to LEOs Voters must send authentication information with ballot (e.g. a signature, PIN, digital signature, etc.) Technical/Procedural controls to provide voter privacy (e.g. privacy envelope, cryptography)

6/17/2008 Page 14 Ballot Return - 2 Information Types: Voter name, address(es) Voter authenticator (e.g. signature, PIN) Voter identifiers (e.g. social sec., license and/or passport numbers) Contest choices Possible ballot tracking identifiers Security Impact: Confidentiality: Moderate Integrity: High Availability: High

6/17/2008 Page 15 Ballot Return - 3 Transmission Options: Postal Mail: Delivery times, Integrity Telephone: Integrity, Authentication Fax: Integrity Integrity, Authentication, Eavesdropping Web-based: Integrity, Authentication, Denial of Service, Phishing

6/17/2008 Page 16 Risk Analysis Methodology Provide a high-level analysis for each stage and transmission option Methodology based on NIST SP Similar format to SERVE risk assessment Information-centric Storage In-transit

6/17/2008 Page 17 Risk Analysis Overview System vulnerabilities Threat sources Level of effort Detection Impact Mitigations

6/17/2008 Page 18 Risk Analysis System Vulnerabilities Will focus on technical vulnerabilities What information can an attacker: Access Modify Inject Deny access

6/17/2008 Page 19 Risk Analysis Threat Sources Legitimate Voters System Operators/Election Officials Insiders Hostile Individuals Hostile Organizations Government-Sponsored Organizations

6/17/2008 Page 20 Risk Analysis Level of effort Low: e.g. in-person voter coercion Moderate: e.g. Denial of service High: e.g. many insider attacks

6/17/2008 Page 21 Risk Analysis Probability of Detection Immediate: e.g. Denial of Service High: e.g. phishing Moderate: e.g. virus infecting PCs Low: e.g. inside attacks, malicious software

6/17/2008 Page 22 Risk Analysis Impact Confidentiality E.g. Voter privacy, vote-selling Integrity E.g. adding/modifying ballots Availability E.g. Delivery times, denial of service

6/17/2008 Page 23 Risk Analysis Mitigations Provide recommended security controls Taken from NIST SP Discuss system-specific controls Many are procedural

6/17/2008 Page Security Control Technical Security Control AU-9 Protection of Audit Information The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Enhancement: The information system produces audit records on hardware- enforced, write-once media.

6/17/2008 Page Security Control Procedural Security Control AU-11 Audit Record Retention The organization retains audit records for [Assignment: organization-defined time period] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

6/17/2008 Page 26 Future Directions Where We Are Short-Term Options Long-Term Options

6/17/2008 Page 27 Where We Are Risk analysis a first step NIST’s role: Use expertise in computer security to identify risks and suggest controls Analysis provides information about a variety of high-level approaches NIST and EAC will discuss future directions

6/17/2008 Page 28 Recommendations Report will recommend high-level controls Additional effort needed Report looks at pieces of systems System-wide perspective needed Requirements needed for rigor and testability

6/17/2008 Page 29 Short-Term Options Electronic Ballot Delivery Lowest hanging fruit Could cut transmission times in half Few security issues: Ballot Accounting: Use tracking identifiers Integrity: Digitally sign electronic ballots Availability: Backups, Firewalls

6/17/2008 Page 30 Short-Term Options Electronic Ballot Request Few security problems: Information mostly non-sensitive Web-based solutions can prevent eavesdropping Authenticating voted ballots more important Voter Registration is a separate issue Must verify voter’s identity Outside scope of NIST’s efforts

6/17/2008 Page 31 Long-Term Options Electronic Ballot Return and Internet voting Would need to be part of larger research effort Some promising technologies, but: Extensive use of cryptography Supporting IT infrastructure not in place

6/17/2008 Page 32 Long-Term Options Challenges of E-Ballot Return Unique set of risks pose a challenge Systems include risks of DREs Remote authentication is more challenging Unique voter-side challenges: Phishing Denial of Service Security of voters’ PCs Half of system is outside election officials’ control

6/17/2008 Page 33 Summary Report delivery: Fall 2008 Provides research on using technology to improve UOCAVA voting process Identifying options for further study Short-term: Electronic Ballot Delivery & Request Long-term: Electronic Ballot Return

6/17/2008 Page 34 Questions

6/17/2008 Page 35 Internet Voting vs. Banking Easy to detect fraud in banking systems Voter privacy makes fraud detection hard Fraud does occur in banking- Phishing, credit card fraud, password theft, etc. Possible to recover from banking fraud Banks can compensate fraud victims Can investigate where money went Cost-Benefit analyses possible with banking

6/17/2008 Page 36 Internet Voting Estonia has a nation-wide Internet voting system Uses national ID’s employing smart cards for authentication Similar methods employed in VoI trial Doesn’t solve voter-side security concerns

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.