INFORMATION SECURITYVolume II JUNE 2009

CONTENTS

Cyber Wars Fought on New Battlefields 4

New Education in Virtual World for Kids 4

Controlling Access While Controlling Cost 4

Dynamic Risks Demand Vigilance 5

2009 Gartner Information Security Summit 6

Memorial Hospital: Smart Card Optimization 6

Preventative Medicine for your Network 6

‘Smart’ Solution for Health Care IT 7

MRC: Increasing e-Commerce Profitability 7

Southwest Airlines Cuts Fraud 50% 7

The Fight Against Online Fraud 7

Ask the Information Security Experts 8

Publisher: Max Friendmax.friend@mediaplanet.com

Editorial Contributor: David DuffyDesign: Jez MacBeanPrinter: Washington PostPhotos: ©iStockphoto.com

MediaPlanet is the leading publisherin providing high quality and in-depth analysis on topical industryand market issues, in print, online and broadcast.

For more information about supplements in the daily press, please contact Kayvan Salmanpour on +1 646 922 1400 kayvan.salmanpour@mediaplanet.com

This section was written by MediaPlanet and did not involve The Washington Post News or Editorial Departments.

www.mediaplanet.com

INFORMATION SECURITY

Combating Cybercrime in an Information-Driven World

In this clandestine marketplace, cyber-criminals from around the globe buy,sell, and trade millions of dollars worth

of stolen goods as well as services and toolsdesigned to facilitate online theft and fraud.For example, some cybercriminals mightchoose to advertise or buy stolen identities,credit card information, or bank accountdata. They even offer discounts for bulk pur-chases. Others might provide services, suchas cashing out financial accounts to un-traceable locations online in just minutes.Still others might sell malicious tools, in-cluding botnets, vulnerability scanners, andvulnerability exploit kits. This commercecreates income-generating opportunitiesthroughout the supply-and-demand chainof the underground economy and ultimatelyincreases the risk to the global economy.

Regardless of their role in the under-ground economy, cybercriminals are afterthe same thing: end-user data, from fullidentities complete with name, address,and Social Security number, to email ad-dresses and passwords, banking creden-tials, and credit card numbers with CVV2details. In 2008 an astonishing 78 percentof threats to confidential information ex-ported user data, according to the latestvolume of the Symantec Internet SecurityThreat Report (ISTR), which provides anannual overview and analysis of world-wide Internet threat activity and a reviewof the Internet threat environment. Thisdata could be used by cybercriminals to

steal an identity or to help them launchadditional attacks.

The success of the cyber underworldhinges on the collaboration and coopera-tion of individual cybercriminals as well ascrime syndicates operating from virtuallyanywhere an Internet connection can befound. And, as more and more countriesextend their broadband infrastructures, cy-bercriminals will gain an even larger poolof potential victims and business partners.

The most effective defense against cy-bercrime will require the combined effortsof individual users as well as businesses,government agencies, and schools and uni-versities. Thanks in part to many public/pri-vate partnerships such as the NationalCyber Security Alliance (NCSA) and InternetKeep Safe Coalition, tips for safely navigat-ing cyberspace are available from the con-venience of virtually any browser.

Not only has information technology revolutionized the waywe live, work, and play, it has also changed the way crimesmay be committed. The same digital infrastructure that werely upon has also given rise to a thriving underground economy that is mature, professional, efficient, and profitable.

Technology providers, too, are working ag-gressively to deliver better protection.Through increasingly sophisticated yet easy-to-use products and services that safeguardconsumers and businesses against evolvinginternal and external cyber threats, regard-less of the computing device they are usingand the network they are on, Internet usershave a powerful ally in the fight against cy-bercrime. And new platforms and methodsfor securely storing and using data are con-tinually emerging, while next-generation in-formation management frameworks nowmake it easier for organizations to enforcecompliance with the many industry and gov-ernment standards designed to protect them.

The naming of a cyber security czar byU.S. President Barack Obama will go a longway in facilitating the coordination of apublic/private partnership by fosteringgreater information sharing between pri-vate business and government agencies inthe U.S. The designation of a cyber securitycoordinator, together with the proposednear-term action plan aimed at supportingU.S. cyber security policy, will help focus ef-forts by the federal government to investmore resources into cyber security researchand development projects shared by a pub-lic/private partnership. Moreover, the ap-pointment of a cyber security policy officialwill lend the weight of the White House to-wards more cooperation among businessand law enforcement to address cybercrimeon an international scale.

As individuals and organizations in the pub-lic and private sectors work together to fightcybercrime and are supported by governmentleaders around the world, the global onlinecommunity can confidently maximize the op-portunities and benefits the Internet provides.

Enrique Salem, President and CEO,Symantec

INFORMATION SECURITY

If there was any doubt left, the newsthat the White House is naming a“cyber czar” and the Pentagon is creat-

ing a new military cyber command shouldhave dispelled it. We are living in the ageof cyber warfare.

Consider the following: cyber attacksforced the FBI and the U.S. Marshals toshut down part of their computer net-works last month. In May, the Wall StreetJournal reported the Defense Departmentdetected 360 million attempts to breakinto its network in 2008 (compared withsix million in 2006). Cyber crooks havepenetrated both the U.S. electricity gridand the Pentagon’s biggest weapon pro-gram. The Department of Transportation’sinspector general says the U.S. air traffic

control system is vulnerable to cyber at-tacks. Then, of course, there was Georgia.

“That was the wake-up call, if we neededone,” says Darrell Covell, founder and chieftechnology officer of Rsignia, Inc., a net-work security and protection company ac-tive in cyber defense. “Russian cyber gangsshut down that country’s entire infrastruc-ture. It’s the current case study for cyberwarfare capabilities.”

The United States has significant cyberwarfare capabilities – both defensive andoffensive – and companies like Rsignia areworking with government departments andagencies to improve current cyber defensesand develop new resources. One criticalarea, of course, is controlling access. TheOffice of Management and Budget’s

Trusted Internet Connections (TIC) programis reducing the federal government’s con-nections, or access points, to the Internetfrom the more than 4,300 in January 2008to fewer than 100. “You just can’t securethat many gateways,” says Gary Woods,Rsignia’s director of federal sales for engi-neered solutions. But with a manageablenumber of access points, applications likeones developed by Rsignia can screenprospective entrants, including those using“spoofed” Internet protocol (IP) addressesto disguise their true identities. “When theUPS man shows up at your door, maybe he’sfor real, and maybe he’s someone else en-tirely,” Woods says. “We can strip off theuniform and look deeper into the protocolsto decide whether to let the guy in, block

him – or let him in and gather intelligenceabout who he is and what he wants.”

It’s also possible to see what he takeswith him when he leaves and track wherehe goes. That kind of intelligence is a bigpart of being prepared and ultimately win-ning a cyber war. As Covell puts it, “Onceyou find a snake in the grass, why wouldn’tyou want to see what he’s up to?”

Cyber attacks come in many forms, andattackers have a wide range of motives – po-litical, financial, philosophical, organizational,etc., and some are just plain ticked off. Today,just about any business is a potential target.According to Paul Sop, Chief Technology Of-ficer at Prolexic Technologies, a firm special-izing in network protection services, the mostdebilitating form of cyber attack is the dis-tributed denial of service (DDoS) attack, inwhich thousands of hijacked PCs are assem-bled into a “botnet” and can be used to bom-bard the target with Internet traffic to thepoint where legitimate visitors can’t getthrough. DDoS attacks were used againstGeorgia last year, and they effectively tookthe Baltic nation of Estonia off line during a

dispute with Russia in 2007. These attacksare increasingly large and intelligent by de-sign, global in nature, and generally difficultto trace back to the source of the attacker(s).

The problem, in a nutshell, says Sop, is thatit's “many against one. These days, any moti-vated attacker can download botnet buildingprograms from the Internet. A person with theright skills can easily assemble a botnet of10,000 or 20,000 computers in a day, andthese botnets can’t be disabled fast enough.Ultimately the best strategy is to develop acapability to defend against these DDoS at-tacks.” Prolexic’s solution engages the enemy“in the cloud,” close to the attacker, and takesadvantage of Internet routing protocols to di-vert all the traffic headed for a particular siteto globally-distributed scrubbing centers thatact as “black holes,” where malicious attacktraffic is inspected, filtered, separated fromgood traffic and blocked - all in real-time.

“Prolexic technology makes it seem likeyour web site is global and massive -- im-possible to take down,” Sop says. “Then wehave experts who use some pretty incredi-ble technology to prove the requests arefrom real people, not botnets. We're fight-ing the attackers and the attacks theylaunch. This game is as much about psy-chology as it is technology. Attackers arealways at work inventing new strategies.It's our job to stay ahead of them."

New Education in Virtual World for Kids

Children today grow up in a world where online activities can materially compromise the security of home andschool computers. For many users, computer security is an unwelcome necessity, and when security measuresare finally in place, the last thing the semi-savvy user needs is a child pushing the limits of connectedness.

Many parents and educators are unprepared to help children navigate online security hazards. More than 60% of edu-cators do not know how to teach students about detecting and minimizing viruses (NCSA 2008). “Children need early se-curity training,” says iKeepSafe president, Marsali Hancock. “Illegal downloading of music and games begins in fourthgrade; cyber-bullying in second [RIT 2008]. Nothing will un-do a parent's best security efforts like a kid trying to illegallydownload a game or song. “

With these trends, parents and educators are turning to the next generation in social networking where kids learn essen-tials of cyber-security and ethics in their favorite setting—a virtual world. WoogiWorld, identified by Parents Magazine as oneof the top five next generation sites for kids, has educators and kids alike flocking to this new approach to education.

WoogiWorld CEO Scott Dow tells parents and educators, "WoogiWorld is much more than fun and games; students learncore academic subjects, health, nutrition, music and art. Our unique approach succeeds through a crossover of online and of-fline activities. 'Woogies’ earn ‘Watts' [the currency of this virtual world] by completing important tasks in the real world."Children learn to balance screen-time with real life, to be active in their communities and helpful at home.

For more information, go to: www.ikeepsafe.org/woogiworld

Cyber Wars Fought on New BattlefieldsFrom the gateway to the cloud, it’s all about knowing your enemy

New app is easy for userstoo – a key criterion

Human nature being what it is, networksecurity often has as much to do withease-of-use as it does with passwords andprotocols. With the economy in its currentstate, not adding cost helps too. “We bringhigher levels of security to the organiza-tion and convenience to the end user,” saysDan DeBlasio, director of business devel-opment, Identity and Access Management(IAM) for the Americas, at HID Global, thetrusted worldwide leader in providing so-lutions for the delivery of secure identity.

The launch in March of HID on theDesktop™, which includes the new nav-iGO™software, an HID technology card

and an OMNIKEY® reader, is an example.The challenge was providing companies“two-factor” user authentication capa-bility (access card and PIN) for desktopand laptop computers, without issuingnew “smart cards” to every employee.

The answer lay in enabling existing HIDaccess control credentials – some 300 mil-lion have been issued worldwide – to log ontoMicrosoft Windows. The naviGO applicationallows badge-holders to manage their en-rollment and establish PINs, and provides foraccess through knowledge-based authenti-cation when cards are lost or forgotten.

“A risk-appropriate solution,” De-Blasio says. “The infrastructure wasthere, and we weren’t adding a largeamount of burden.”

Controlling Access While Controlling Cost

INFORMATION SECURITY

If your company has a computernetwork, you don’t just have a se-curity risk. You have a dynamic se-

curity risk, that is, one that changesand evolves every hour of every day asthe network itself changes with newusers, new visitors, new applicationsand new information, and the makeupof the Internet itself evolves, at a mas-sive rate of speed and complexity.

According to the most recent Inter-net Security Threat Report by Syman-tec, the number of new malicious codesignatures on the Internet increased265 percent in 2008 to more than 1.65million. As the attacks and attackersboth become more complex and so-phisticated, their most common goalremains constant – financial gain. TheSymantec report found that 78 percent

of confidential information threats in2008 exported user data. A February2009 Symantec white paper on “WebBased Attacks” found that just aboutany Web site today can be compro-mised by cyber crooks.

“Too often we tend to think in termsof ‘information security,’ which is acompliance driven posture, as in, I’vedone everything required to make myinformation secure,” says Jim Butter-worth, senior director of cybersecurityfor Guidance Software, a provider ofcybersecurity, eDiscovery and other dig-ital investigation solutions. “We shouldthink in terms of ‘cybersecurity,’ whichmeans monitoring the operations con-ducted on your network 24/7/365.”

It’s a fact of Internet life that thebad guys keep getting more insidious,

as do the malicious attacks theylaunch. According to Butterworth, op-erating systems won’t always recog-nize that someone has inserted a newpiece of malicious software. One cur-rent hacker favorite is the malwarethat enables the so-called “drive-bydownload.” It sits on a Web site the at-tackers have compromised and looksfor vulnerabilities on visiting comput-ers. When it finds one, it deposits moremalware designed to steal the visitor’spersonal information. The visitor does-n’t have to do a thing to launch the at-tack, and without vigilant monitoring,the owner of the web site will not beaware anything is amiss.

GUIDANCE SOFTWARE This is where companies like GuidanceSoftware can help. “We have over adecade of experience in digital foren-sics,” says Butterworth. “We’re used to

complex problems. We’ve lived in a bi-nary world so we know what it looks like– or should look like. We’ve designed ourapplications to recognize things an op-erating system maybe won’t.”

About thirty percent of GuidanceSoftware clients are government de-partments and agencies, such as theDepartments of Defense, State and Jus-tice, and the SEC. One factor companieslooking to enhance network securityshould bear in mind – the need to pro-tect evidence in a forensically soundmanner. In addition to its EnCase Cy-bersecurity software solution, the com-pany’s professional services organiza-tion assists with digital investigations.As Butterworth puts it, “At the outset,we don’t know whether we ultimatelywill be looking to assist in the termina-tion of an employee, litigation against acompetitor, or the incarceration of acriminal. We do know we’re likely to

end up in court, and that means the in-vestigation can’t contaminate the evi-dence. We don’t change anything. Wemaintain a sound environment.”

Dynamic Risks Demand Vigilancethat Goes Beyond ComplianceAs threats to information grow, more comprehensive solutions are warranted

Jim Butterworth, Senior Directorof Cyber Security, Guidance Software, Inc.

INFORMATION SECURITY

At the same time, the economyis applying the heaviest budg-etary pressure in decades. The

2009 Gartner Information SecuritySummit, June 28-July 1 in Washing-ton D.C., focuses on the IT securityprofessional and how they can opti-mize their value while enhancingtheir skills and knowledge to betterprotect their organization in tougheconomic times.

ANALYSTS“Our team of analysts, led by confer-ence chairs, Vic Wheatman, ChrisByrnes and John Pescatore, will con-centrate on the tools, technologiesand management practices that areneeded to run a security operationthat’s efficient, safe and economical,”said Alwyn Dawkins, senior vice presi-dent, events, at Gartner, Inc. “The pro-gram includes privacy policies and pri-

vacy protection tools and emergingtrends and new federal initiatives re-garding cyberspace.”

Dawkins recently offered some ad-vance insights on what else to expect atthe 2009 Summit.

Q. Who should attend?

A. Anyone with an interest in enter-prise-wide security and critical infra-structure protection. CIOs, CSOs,CISOs and CTOs, of course. But alsoother IT executives, network man-agers, risk managers, and auditors.Because of the pervasiveness of theInternet in business today, just aboutany senior executive will find value.Since we’re in Washington, we in-cluded a special segment for peopleworking in the public sector and asuggested agenda for government at-tendees.

Alwyn Dawkins, Senior Vice President,Gartner Events

Q. Tell us a little about the overallagenda.

A. There are more than 100 sessions onan incredible range of topics, all gearedtoward protecting your IT infrastructure,keeping your business secure, and man-aging your career in a time when it willclearly be affected by both technologytrends and economic dynamics. We’re

excited by our outside keynote speaker,David Sanger of the New York Times,who’s just published a thought-provok-ing book that’s already climbing thebest-seller charts on the challenges fac-ing the new administration in cyberspace. We’ll also have a keynote panelon national cyber security strategy at atime when the president and the secre-tary of defense have put this issue frontand center on the national agenda.

Q. What about some of the smallersessions?

A. We’re seeing a lot of interest in cloudcomputing and government security issues,managing costs and maximizing value, anda case study on the costs and cures of databreaches with the CEO of Heartland Pay-ment Systems. There are also 16 ana-lyst/user roundtables, with 12 to 15 partic-ipants, allowing for give and take with thosewho share an interest in a particular topic.

Attendees are eligible for CPE credits(ISC2/CISSP and ISACA). Incentive pric-ing available. More information atwww.gartner.com/us/itsecurity

2009 Gartner Security Summit Focuseson Network and Career SecurityInformation security needs are growing fasterthan ever as challenges and solutions becomemore complex.

Consider a CAT scan for your com-puter network. Just as preventa-tive medicine is critical to health

care, examining your computer, network,or data system for vulnerabilities is es-sential to keeping it safe from digitalviruses and a host of other threats.

Billy Austin, chief security officer ofSaint Corporation, which provides vulner-

ability assessment and penetration testingtools, says 15 new network vulnerabilitiesare disclosed every day – that’s almost5,500 a year – and those are only the onesthat are made public. Some lead to largescale damage. By the end of 2008, theDownadup (also known as Conficker)worm had exploited a single vulnerabilityto infect more than a million individual

computers, according to Symantec’s mostrecent Internet Security Threat Report.

VULNERABILITIESSoftware provided by Saint Corporationcan run the equivalent of a CAT scan ona single computer or multi-machine net-work and show all the vulnerabilities,whether missing patches or configuration

errors or something else, related to spe-cific IP addresses. “We can scan 10 ma-chines or 100,000 – daily,” Austin says.The software identifies vulnerabilities andany exploits that have occurred. It willsuggest repairs or restoration. It can alsoconduct penetration testing, that is,launch the exploit in a simulated fashionto show the nature and extent of poten-tial damage.

“Most products are defensive in na-ture,” Austin says. “We provide an offen-sive module that tests the network justas the bad guys would.” To paraphrase atime-proven adage, a few meg of pre-vention is worth a gig of cure.

Practicing PreventativeMedicine for your Network

Smart CardsOptimize Infoat MemorialHospital in NH

The Memorial Hospital in NorthConway, New Hampshire, hada problem, one common in the

health care industry. It was runningfour different databases of patientinformation, and of course, none ofthem talked to each other. Whereverpatients went, they had to re-regis-ter. They got annoyed. Hospital staffgot less than perfect information.The error count crept up. Billing andpayments slowed down. Just aboutevery operation was affected.

The available solutions, short ofstarting over, were few, expensive,and complicated. Until Memorialencountered the LifeMed smartcard. “We found we could overlaythe smart card system, and it wouldtalk to all four existing databases,”says Lawrence Carbonaro, directorof patient access. “Patients wouldregister once, we’d have an audittrail for their information, and en-cryption and two-part authoriza-tion provided the security.”

Memorial spent about a year in-stalling the system. It set goals –among them, improve the quality ofdata, reduce the error date from 7to 2 percent, and shorten reim-bursement to fewer than 50 days.The new system went live April 1. Sofar, 4,000 cards have been issued tothe hospital’s potential patient uni-verse of 20,000-25,000.

“Patients love it,” Carbonarosays. “They register once, theyswipe the card and they’re good togo.” The error rate on smart card-enabled accounts is already below3 percent and falling. The hospitalis making measurable progress to-ward all its goals.

Memorial plans over time tomake LifeMed smart cards the cen-ter of its information system. “That’sanother beauty – you can start assmall or as big as you want andgrow,” Carbonaro says.

Online fraud. It cost U.S. retailersmore than $4 billion last yearalone. But the problem affects

more than merchants. The anonymity ofthe Internet provides an easy environ-ment for fraudsters to scam almost anytype of organization, including airlines,hoteliers, government agencies, providersof digital downloads and multi-levelmarketing companies. Social networkshave become targets for internationalcon artists who misrepresent their iden-tities to steal from other users.

According to Michael Long, chief prod-uct strategist at Accertify, Inc., reining infraud can have an immediate and long-lasting impact on the bottom line. Longand his fellow founders worked in the on-

line travel industry so they designed Ac-certify’s software from a merchant’s pointof view. “Accertify offers the first end-to-end application to manage e-merchantrisk,” Long says. “Previously, clients hadto establish relationships with multiplevendors, which was cumbersome and in-efficient. We offer a fully integrated plat-form that focuses on work-flow andcloses the gaps fraudsters slip through.”

According to Long, the importance ofdata management is often overlooked incombating fraud. Companies typically keepdata from customer profiles, registrations,purchases, merchandise returns and his-torical transactions stored in differentplaces, files and formats. Analyzing andimporting all this data into the prevention

process is key to preventing all types offraud, from retail crime to social scams.

“Companies need to strengthen theirdefenses by getting control of their dataand using more automation and newtechnologies in their fraud preventionprograms,” Long says. “By choosing a so-lution that is designed to be flexible andintegrates multiple fraud-fightingprocesses and tools, they will see a re-duction in fraud losses more quickly andbe able to adapt to new fraud schemesas they occur.”

Accertify has worked with SouthwestAirlines to reduce its online fraud rate by50 percent in four months. Other clientsinclude Urban Outfitters, Tickets.com and1-800-FLOWERS.COM.

Long points out that the real cost ofonline fraud goes beyond disputed or-ders and chargeback penalties. Manualorder review is expensive and slows cus-tomer service.

New Tools Give Companiesthe Upper Hand in the FightAgainst Online FraudIt’s a multi-billion-dollar problem the consumerrarely sees. But companies involved in e-com-merce know all about it – they’re footing the bill.

Southwest Airlines CutsFraud 50% with Accertify

There’s always room for improvement. Southwest Airlines, one of the mostsuccessful companies in the history of the industry, enjoys an unprecedentedstring of 36 consecutive years of profitability. Its online fraud rate was con-

sistently below industry norms, but with online bookings reaching nearly 80 per-cent in 2008 (southwest.com is the number one airline website for online revenue,according to PhoCusWright), management thought it could do better. It wanteda solution that was scalable, customizable, and leveraged new fraud-fightingtechnologies without affecting the airline’s well-deserved reputation for cus-tomer service.

Southwest selected Accertify’s Interceptas platform because it was the mostcomprehensive and flexible fraud-prevention platform in the industry. Interceptaswas implemented in June 2008, providing a workbench platform that integratedall of the best-practice tools and key components required for a complete fraudprevention program. Implementation was quick and simple. Robust data manage-ment enabled Southwest to access 30 times more data in its screening process. Theincrease in available data paved the way for applying new business rules. The newplatform streamlined a cumbersome manual review process and eliminated theneed to use the passenger reservation system and other internal systems for re-views. A simple point-and-click process enabled Southwest to completely cus-tomize the user interface in less than a day. The integrated nature of Interceptashas also facilitated transaction resolution and chargeback processing.

The result? A significant reduction in fraud, leading to real bottom-line savings.Interceptas has provided Southwest with a clear return on investment. Fourmonths after implementation (the company’s normal chargeback cycle), South-west saw a 50 percent reduction in its fraud rate as a percentage of sales, and inrevenue losses due to fraud. Since then, the fraud rate has continued to decline.

The Electronic Commerce industry israpidly maturing – evidenced by:• Consumer confidence levels are at an

all-time high for online purchasing.• Online sales continue to out-pace all

other revenue channels for the vast

majority of multi-channel merchants.• The number of merchants falling

under the umbrella of e-Commerce issteadily increasing.

• Online categories, industries, and ver-tical markets are rapidly expanding(social networking, digital downloads,and gaming among many others).As an industry, we are seeing the tra-

ditional merchant challenges of fighting

online fraud evolve into opportunitiesfor new business models regarding datasecurity and online payment strategies.

The Merchant Risk Council (MRC), amerchant-led trade association focusedon electronic commerce risk and pay-ments, is helping merchants identify andtackle these emerging growth issues thatare unique to e-Commerce. The MRC pro-vides industry stakeholders with special

conference sessions, hosted webinars,regulatory change updates and reports ontoday’s growing complexities of fraud,electronic payments, and online security.

The MRC has historically facilitated in-dustry networking aimed at preventingonline fraud. Today, our new educationand advocacy programs are helping mer-chants succeed with their online payment,security and risk programs of tomorrow.

Tom Donlea, Executive Director,Merchant Risk Council

‘Smart’ Solution for Health Care IT ModernizationThe need to bring the health care

industry’s information systemsinto the 21st century is well

known. President Obama recently ear-marked $18 billion to drive the processforward. What’s perhaps less well ap-preciated is that the technology re-quired to put health care records onlinein a simple, secure and accountablemanner already exists.

Smart cards – plastic cards embed-ded with microprocessors – address sev-eral of the critical issues facing thehealth care industry, according to RandyVanderhoof, executive director of theSmart Card Alliance. “Smart cards cancapture patient information electroni-cally – eliminating 90 percent of the pa-perwork – and make it available tothose who need it while keeping it se-

cure from those who don’t,” Vanderhoofsays. “Imagine not having to fill out thesame form every time you go to thedoctor or the hospital. That’s just thebeginning of what smart cards can do.”

Smart cards use sophisticated encryp-tion and two-part authentication to givepatients control over who has access totheir personal information. They provide anaudit trail, recording who has added or

changed information. By authenticatingthe patient and the insurer, they can cutdown on medical fraud. And the softwarebehind them can talk to multiple data-bases, making medical information trulyportable. “Think of it as a secure, portabledatabase with translating capabilities,”says David Batchelor, CEO of LifeMed Card,Inc., a supplier of smart card solutions tothe health care industry. “It gives patients

control over their health care information,and it starts building toward 100 percentaccurate and complete medical records.”

“Smart card technology has beenaround for years, it’s proven,” Vanderhoofsays, pointing to employee and govern-ment ID cards as examples. “Smart cardsprovide a secure identity platform whenthey start architecting the new healthcare IT systems.”

INFORMATION SECURITY

Darrell Covell, Founder/CTORsignia, Inc

What do you believe is the biggestthreat in Cyber Security today?

First, acknowledge the reality of cyberterrorism. Stop hiding behind politicallycorrect/safe terms such as “cyber secu-rity” and expose it for what it really is:Cyber Warfare! Russian cybergangs suc-cessfully shut down Georgia’s entire in-frastructure. We cannot delay implemen-tation of cyber offensive capabilities. Aswe move to 10GigE, upward of 40GigE weneed technologies that support such. Sec-ond, we need to expose vulnerabilities asthese come not only from the outside butalso from within. Rsignia has offensivecyber solutions available today providingsophisticated engineered solutions tothese vulnerabilities. Exposing vulnerabil-ities without a solution is irresponsible.Rsignia works closely with the intel com-munity as our engineers address currentcyber warfare issues such as ID spoofing,location attribution, fibre tapping, sonetcapture, layer correlations, IDS with GUIinterfaces that utilize current open sourcesolutions. These are new offensive cyberwarfare solutions, where the old toolsetscannot keep up. We need an aggressiveforward thinking stance.

Paul Sop, Chief Technology Officer, Prolexic Technologies

What does the future of cyber-warfare,and more specifically cyber-defense,look like?

A couple of trends are at work. The at-tackers keep getting more sophisticated.They’ve gone up against most of thecommercially available technological de-fenses, and attackers know what they’redealing with. Attackers increasingly workfor sponsors. They keep launching attacksas long as their sponsor pays them. Thismeans it will keep getting harder to putthe actual attackers in jail, and we arestill left with the problem of how to de-fend against their attacks. Fundamen-tally, we have to engage the bad guys inthe cloud, on the Internet, before theirattacks get near their victims. Fightingthese attacks requires much more thantechnology. You need battle-hardenedpros, real people who’ve analyzed all thedifferent styles of attacks out there, peo-ple who very likely can recognize whothey’re going up against. Victory today ismaking the attacker lose interest. That’smore and more a matter of psychologyand technology. There’s no panacea. Asthe attacks get more customized, the de-fenses have to respond in kind.

Jeffrey Liesendahl, Chief Executive Officer, Accertify

What trends are you seeing in onlinefraud prevention?

Cybercrime is a global problem. Crimi-nals are increasingly organized and so-phisticated in using false identities tosteal money and goods via the web. Soretailers, government agencies andother organizations doing business on-line have to be more proactive in pro-tecting themselves and their customers,especially in the current economic en-vironment. Companies are doing every-thing possible to improve the online ex-perience for consumers and maximizee-commerce revenues. But they alsohave to make more efficient use of lim-ited resources and eliminate opera-tional costs. They are focused on initia-tives with a quick return on investment.Online fraud prevention is a criticalarea to address because companies canachieve results almost immediately. It’sabout more than cutting fraud lossesand fraud-related customer complaints.It’s also about increasing accuracy, ef-ficiency and productivity of fraud-fighting efforts so the issue doesn’tdamage profitability, expansion plans orbrand reputation.

Dan DeBlasio, Director of Business Development, Identityand Access Management (IAM)Americas, HID Global

How does "Risk-appropriate" authenti-cation increase the value of security inan organization?

The usernames and passwords that or-ganizations use to protect their comput-ers and networks are too easily guessed,shared or stolen. “Strong Authentication,”which requires devices such as a smartcard or a one-time password generationtoken, increases security, but has been ex-pensive. With “Risk-appropriate” authen-tication, businesses use a blend of tech-nologies based on the location of theirusers and the value of the informationprotected. Frequent travelers might usesmart cards, while their office-based col-leagues would use their physical accessbadges, along with a personal identifica-tion number (PIN), to access their PCs.This “convergence” of physical and logicalaccess is gaining popularity as it allowsbusiness to comply with industry IT secu-rity regulations using assets that have al-ready been paid for. With this approach,the overall level of security in an organi-zation is increased, while technology in-vestments are appropriately controlled.

Dale Grogan, Director of SmartCard Initiatives for LifeMedCard, Inc

How can smart cards improve securityin healthcare?

A patient’s healthcare information isstored everywhere – at hospitals, physi-cians’ offices, pharmacies, insurancecompanies – the list goes on. Unfortu-nately, this sensitive medical informationis susceptible to theft; one of the fastestgrowing segments of identity theft ismedical information. Thus, protectingmedical information is vital. Data onsmart cards are heavily encrypted, provideaccurate identity confirmation, and act asa secure entry point for medical retrievalfrom multiple sources. As medical recordsbecome more widely distributed, (vis a visPresident Obama’s $18 billion initiative tofund Health Information Exchanges) theneed to accurately identify and track pa-tients, persons contributing patient infor-mation, and users of that medical infor-mation becomes more crucial. The point:smart cards help ensure patient medicalrecord security and have been proven tobe an unparalleled portable medicalrecord device that provides accurate pa-tient identity, reduces fraud, whilestreamlining patient registration.

Ask the Information Security Experts