|
WHITE PAPERS
Our White Papers provide insight into our expertise, philosophy, vision and methodologies. Following are topics that are in preparation.
1. When Something is Not Better than Nothing
by Harry R. Smith
Abstract
There is a popular consensus, which maintains that something is better than nothing. For instance, when stranded roadside on a cold winter night a bed-sheet is arguably better for trying to keep warm than having no covering at all. This “better-than-nothing” notion often becomes the acceptance criterion for embracing a new safety or security technology. However, there are latent deficiencies to this perception that if left unrealized, pose serious safety and security threats. So just when is something not better than nothing? When it gives a false sense of protection. This article looks at various accepted multi-factor authentication methodologies that on the surface appear to provide enhanced identity assurance and data security, but when practicably considered, can be shown to be as vulnerable to breaches as the password-only system they replace. In the case of the latter, you know what you don’t have, but in the case of the former, you don’t know what you don’t have.
2. Identification Assurance and Data Security Evaluation Protocol
A Decision Tree for Standardizing, Optionalizing, Prohibiting, Ignoring, Enhancing, or Characterizing Safeguards
by Harry R. Smith
Abstract
A decision protocol is developed for assessing whether a candidate safeguard should be offered as standard or optional features or whether it should be enhanced, prohibited, ignored, or just characterized. Satisfaction of the protocol is a sufficient condition for satisfying the code of ethics for engineers, extant codes and standards, the Intrinsic Classification of Safeguards, and the Dangerous Safeguard Consensus. Decisions that do not satisfy the protocol violate one or more of these safety philosophies. This decision making process advocates the position that a corporation has a non-delegable duty to include effective safety and security features within its infrastructure. It further embraces the advocacy pronouncement that “non-refutable authentication should not be optional.”
3. Security Hierarchy
Identification Assurance and Data Security Priorities
by Harry R. Smith
Abstract
There is no such thing as the security hierarchy; there are many hierarchies. Secondly, “it” is not a scientific law, but rather a useful rule of thumb whose genesis is consensus. Thirdly, its complete form is broader than reported in any single reference.
I. Introduction
The past six decades have witnessed the emergence of various security hierarchies that security practitioners have embraced in the approach to preventing identity theft and information breaches. The hierarchies do not arise from a research base, but rather they reflect the experience of IT security professionals and organizations. An examination of the literature reveals enough similarities among the hierarchies to suggest the existence of a consensus. This paper views the collection of hierarchies, which yields a broader hierarchy than previously proposed.
4. Regulations – Impact and Impotence
by Harry R. Smith
Abstract
Most of the technical works of mankind are designed without the guidance of codes and standards. Specific security regulations are generally developed when contrivances give rise to numerous or substantial breaches resulting in fines and penalties. The strengths of such regulations are briefly outlined in this article along with their inherent weaknesses.
I. Introduction
Information assurance and data security is characterized by two concepts: Severity (How badly can a breach hurt you?) and Frequency (How often will it hurt you?). It follows that a technologist is then confronted with the question, “How secure is secure enough.” Unfortunately, security is not an uncoupled concept that can be studied independently. Reduced to its simplest form, the technologist must balance security, function and cost. Referring to the Engineering Code of Ethics, the first tenet of every engineering society requires that: “Engineers shall hold paramount the safety, health and welfare of the public in the performance of their professional duties.” There are three points that should be emphasized. First, the duty of an engineer derives from an obligation to harness technology for the benefit of mankind. Second, welfare includes economic wellbeing. Welfare is defined as, “A state characterized especially by good fortune, happiness, well being, or prosperity.” Thirdly, the entity managing and charged with securing data comprised of critical assets (e.g. intellectual property, financial records, identities and their related sensitive information) is in effect the “engineer” and party responsible for safeguarding those assets. As such, solutions must be implemented that provide optimal protection of those assets.
The problem with specifying a level of security becomes even more perplexing if different metrics exist; for example, cost, complexity, frequency. Trade-offs among qualities with various metrics are like comparisons of apples and oranges. How then does one specify how much security is required to adequately safeguard? The answer is found partly in various value systems such as the judicial value system, consensus standards, and statutory codes. However, the responsible investigation of leading edge technologies that offer protection beyond that which is recognized by these value systems must also be considered.
5. On Classification of Safeguards for Identity Assurance and Information Security - Identification Continuum
by Harry R. Smith
Abstract
The field of identity assurance and information security is still in its infancy. As yet no universally applicable security principles have been formulated, let alone adopted.
Recognizing this state of ignorance and/or neglect, technologists, and even legislators, set safeguarding standards for individual applications and specific processes. They do not claim to be defining universal safety truths.
The courts, on the other hand, produce general rules, which they then apply to all enterprises thereafter. Since no valid general rule exists, the legal system is producing irrational tenets at odds with other intellectual disciplines.
Technologists cannot change the law, but we can provide guidelines to help the courts make more appropriate decisions. The first step is to stop looking at security solutions as a homogenous lump. Security solutions differ in the amount of security they provide and the amount of breach they can allow.
We are studying a number of classification systems that make it possible to evaluate the efficacy of security safeguarding technologies. This article presents one system that breaks down security technologies into mutually exclusive and jointly exhaustive categories. With this we establish a sort of pecking order that would allow security technologies to be ranked according to the type of protection offered.
Further, another category is introduced for those important security problems that seem to fall outside of this scope that allows us to deal with those security characteristics inherent in a system. These characteristics, which include simplicity, obviousness and widespread user training, are ranked under Zero order Systems in the following functional hierarchy of security technologies and concepts. This allows us to see the relationships among such technologies.
6. Philosophical Aspects of Non-Secure Security Systems
by Harry R. Smith
Abstract
One of the unfortunate trends that have developed in the identification assurance and information security movement is the promotion of non-secure technologies. Such technologies arise principally from insufficient research, ill-prepared requirements documentation, poorly defined regulations and the misconception that anything is better than nothing. An unequivocal mandate against the use of technologies that present breach hazards themselves needs to be established. This precedent has been set in the field of safety for decades and provides an example of what must be achieved in the field of identity assurance and information security.
The Food and Drug Administration investigates new drugs to establish their benefits, shortcomings, efficacy and side effects. Unfortunately, the identification assurance and information security profession has no equivalent procedures for screening safeguarding technologies to determine their suitability. Non-secure security systems typically emerge in the following categories:
HRS Technologies, LLC
708-755-1583
©2006 HRS Technologies, LLC. All Rights Reserved.