Identity Theft - Should You Be Worried?
by Robin Gertsen - Senior Product Marketing Manager, PortWise - Tuesday, 2 May 2006.
Pick up any magazine or newspaper, surf to any Internet technology or news site, turn on the TV and listen to the news and it becomes apparent that identity theft is a major problem. And not just individuals are suffering from this new crisis, but public and private organizations are also feeling the effects of this growing problem.

From recent cases in the media, involving major organizations such as Bank of America, America Online, Berkeley University, Time Warner, and Ralph Lauren, ID theft can have severe consequences, such as direct loss of revenue and stock decline. There are also other major intangible side-effects that can result from a breach of personal data, such as brand damage, loss of customer confidence, and decline in service. The question is, would you do business with an organization that had recently lost thousands or millions of users’ personal data to hackers and scam artists?

For most, the answer would be no. It is clear that something must urgently be done to assure users, both internally and externally, connecting to applications and data from any location using a number of different connectivity methods, such as laptops, home PCs, PDAs, and smart phones.

Where to start

It used to be that all attacks and security breaches took place on the edge of the organization’s network, centered on the firewall. So naturally, organizations focused on enhancing security in the network to ensure nobody could break through the outside perimeters.

Recently, this has all changed. A number of different threats change the way we think about security and how we protect the information most valuable to us.
  • Trojans – programs that get installed on a users device and alters the behaviour of that device without the user knowing it.
  • Keyloggers – programs that capture the keystrokes of a user and sends it back to a third party.
  • Screen-scrapers – programs that capture screen information on a users device.
  • Password sniffers – programs that detect what passwords are being used.
  • Viruses – code that infects a users device and often destroys data and settings on that device.
All these threats take the burden away from the network and moves the threats to end user devices being used to connect to data and applications. Devices need to be assessed before even being allowed to connect to an organization’s network, and only if the device meets the set security policy, should the user be allowed to proceed on to the authentication stage.

Figure 1. The location of threats and attacks have moved from the edge of the network to user devices.

On the user devices, there are many requirements that organizations should put on devices to ensure ID theft is minimized. Only when the requirements are met should a user gain access to the network. Some of these requirements could include:
  • Anti-virus software is installed and up-to-date.
  • Spyware and Trojan checking software is installed.
  • Latest operating system and patches are installed.
  • Device is approved for entry.
Other things that could be checked, depending on the situation, are network configuration settings, domain and registry settings, and open ports on the device.

To minimize ID theft, security needs to start at the end point, and only when the end-point is secure should users be allowed to proceed with entering user names and passwords.

Preventing others from using your identity


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th