Group to shed light on secure identity management threats

By Robert Westervelt, News Editor 27 Oct 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The consequences of failing to adequately address identity management issues could have a profound impact on digital forensics as law enforcement try to find ways to couple digital and physical identities and ultimately bring cybercriminals to justice. But identity management innovation is not keeping pace with the constantly changing threat landscape making the need for further research more critical than ever.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

That is the message being driven by the Center for Applied Identity Management Research (CAIMR), a non-profit organization based in Washington D.C. that is helping government agencies, including the Secret Service shape law enforcement investigations, develop defenses and adjust policies outlining secure identity management. The organization is made up of the Secret Service, the Department of Defense, a collaboration of universities as well as private sector companies, including IBM, Symantec Corp. and Visa Inc.

"When we moved into the digital realm I don't think we were prepared for dealing with identity management," said Gary R. Gordon, executive director of CAIMR."It's been a process where we've had to catch up."

With 2009 marking a year of economic uncertainty resulting in staff layoffs and company mergers many enterprises are focusing on tried and true identity management and access control processes to identify insider threats and maintain continuity. But while businesses begin to understand the nature of insider threats, security professionals remain under constant pressure to address the rapidly evolving threat landscape that targets account credentials and places a high value on identities.

Identity management challenges: Is Identity Management as a Service (IDaaS) a good idea? Identity Management as a Service (IDaaS) is new on the managed security service provider scene. Comparing access control mechanisms and identity management techniques: In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate and offers up some best practices for both. Identity and access management 2009: Staff cuts, insider threats: Identity and access management in 2009 will be drastically different from 2008, most notably because staff reductions may result in a new crop of malicious attackers.

Gordon said he sees identity management evolving rapidly to meet the current threat landscape. CAIMR is creating a database of the current threats to identity management, creating threat scenarios to understand the capabilities that exist and help mitigate those threats. The organization is hosting a panel discussion on the subject this week at the CSI 2009 Annual Conference in Washington D.C. The organization is expanding on the areas it has identified, including cybersecurity as it relates to digital forensics and linking physical and digital identities, information protection to identify attack vectors and eliminate vulnerabilities, information sharing to focus on shared data sets to improve authentication and policy and privacy to better shape legislation.

The CAIMR Identity Dynamic Risk Assessment Project is creating a database of attack scenarios and possible targets so organizations can use analytical software to link threat scenarios with the current defense capabilities, Gordon said. The analysis will help the organization understand where the current gaps are for further research as well as help member organizations develop identity management solutions based on need and identify future threats. Law enforcement can use the analysis to speed investigations while the Department of Defense can create attack scenarios that specifically target identity management technologies to develop appropriate defenses.

"While there are various concerns and challenges that each of the entities have, there is a considerable amount of overlap as well, so everyone could benefit," Gordon said

SearchSecurity radio:

One of the major challenges has been to categorize the threats. For example, identity theft threats, which have led to thousands of data breaches, can be mapped to various scenarios, such as phishing, malware and other attack vectors that hackers are using. Other threats plague the financial service industry, such as keeping tabs on potential insiders and the healthcare industry, which is struggling to protect patient identification in digital format.

"There's a lot to this landscape," Gordon said. "We need to have a much richer picture of what exists and then we'll be able to focus on the specific needs."

The data can also be used to better balance privacy with policy decisions. Gordon called privacy a key component to identity management. Legislators could call on the research to better understand the consequences and unintended consequences of what their trying to do, he said.

Tags: Identity Theft and Data Security Breaches,  Password Management and Policy,  Biometric Technology,  Web Authentication and Access Control,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Password Management and Policy Torrent phishing scheme trips up Twitter users Microsoft, security firms warn of password meltdown How to find and remove keyloggers and prevent spyware installation How to encrypt passwords using network security certificates Two-factor authentication, vigilance foil password theft How to determine password strength for a website Prevent password cracking with password management strategies Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Biometric Technology PhoneFactor bolsters authentication using voiceprint identification Biometrics project studies ways to combat bank fraud Apple iPhone app could boost two-factor Vein-reader biometric authentication for health care, financials Exploring authentication methods: How to develop secure systems Biometric authentication know-how: Devices, systems and implementation Pre-boot biometric user authentication tools and strategies To what exactly would a request for biometric data from an insurance provider pertain? Keystroke recognition aids online authentication at credit union What are the possible benefits of microchip implants and RFID tags for employees? Biometric Technology Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary