Article: U.S. Government Calls for Better RFID Security by Jon Brodkin, PC World

In this article appearing in PC World, the U.S. Government stated that the use of RFID devices by firms can create security and privacy risks. Thus, best practices should be implemented for retailers, manufacturers, hospitals, and federal agencies to alleviate security risks. The primary concern is that unlike desktop computers or other devices overseen by a company's network security crew, an RFID tag may be used by a multiple firms. That is, firms may use a different techniques to maintain their chain-of-custody than other firms. The National Institute of Standards (NIST) of the Department of Commerce released a report that mentions how suppliers, manufactures, retailers, and different organizations acquire the same data from RFID tags throughout its lifecycle, but do not implement an adequate security policy to protect the data from unauthorized personnel. This situation raises privacy and security risks.

The released publication is called, "Guidelines for Security Radio Frequency Identification (RFID) Systems." The following recommendations are: (1) Organizations should use Firewalls to separate RFID databases from other databases and IT Systems; (2) Encrypt radio signals when possible; (3) Authenticate approved users of RFID systems; (4)Shield RFID tags or tag reading areas with metal screens or films to prevent unauthorized access of tag readers; (5) Use managed audit procedures, logging and time stamping to help detect a breach of security (6) Implement a procedure for tag disposal and recycling that permanently disables or destroys sensitive data.

The report was mandated by Congress under the Federal Information Security Management Act of 2002. Besides the retail industry, RFID devices are used in hospitals to match patients to lab test results. This raises a concern about unauthorized personnel who can capture sensitive data. During handling and transportation of hazardous materials, RFID tags are handled by a number of organizations to track the materials. However, the risks are rather significant because of potential threats to target vehicles containing hazardous materials; eavesdrop on tag transactions to gather information on the characteristics of the materials; damage or disable a tag, making it easier to steal or change manifest data stored on the tag. Ultimately, this risk to security of hazardous material transport could be devastating to the organization or to the community.

As a result, the recommendation is to shield vehicles and containers from electromagnetic emissions, establish a 300 ft perimeter around storage locations, and use passwords to prevent unauthorized personnel from reading tags or changing information on the tags. The report states that is a general rule, tagged items should be identified only before products are transported out to their destinations and when products are received at their destination and inventory storage, but not during vehicle transport. The challenge to supply chain management is that only authorized personnel should have access to RFID information and that specialized training is required to sustain security of the contents.

I like the article because the recommendations are closely related to the Case Study in Chapter 8 of Laudon and Laudon where the Department of Veteran Affairs failed to implement a fail safe method to protect valuable data from being stolen. Millions of sensitive records were stolen from former veterans. A VA financial analyst took home a laptop computer having millions of records of sensitive data to work on a project, but the laptop and records were stolen from the employee's home. The VA required to implement a policy to safeguard all sensitive records. My place of employment, the NAVFAC Engineering Service Center, takes special precautions to safeguard classified materials. We employees take extensive security awareness training to become aware of our responsibilities to handle sensitive information. RFID technology has certainly made supply chain management more efficient, but security and privacy issues are always a concern.

Reference: Jon Brodkin, U.S. Government Calls for Better RFID Security, Department of Commerce report says RFID raises unique security concerns. Network World, PC World, May 1, 2007.

Chapter 8 Case Study: A Stolen Laptop at the Department of Veterans Affairs: The Worst Data Theft Ever?

A financial analyst from the Department of Veteran Affairs brought sensitive personal electronic files from 26.5 million veterans’ home to work on a project, but the personal files had been stolen on May 22, 2006. The data included names, social security numbers, and birth dates of veterans who were discharged from the military starting in 1975. The data was not encrypted. The VA breach was the second largest unauthorized disclosure of social security identification data.

Question #1: List and describe the security weaknesses at the Department of Veteran Affairs.

One weakness is that the Department of Veteran Affairs (VA) failed to implement a policy that strictly prevents employees from taking home classified or sensitive financial data of veterans. It was not clear initially whether the employee was authorized to take home the files. This clearly indicates that there was a lack of a security policy that is required to protect information assets. The data stolen was not encrypted.

A second weakness is that there was a lack of disaster disaster recovery planning where a company focuses on how it can restore business operations after a disaster strikes. There was no plan of action of how to backup any lost data.

A third weakness is that there was a lack of a communication protocol on what to do if the data is lost or stolen. That is, the data was not reported in a sufficient amount of time. The department did not report the incident to law enforcement until two weeks after the incident. The Department of Justice and the Federal Bureau of Investigation stated that the delay may have allowed a more thorough investigation to solve the case.

Question #2: What management, organizational, and technology factors contributed to these weaknesses?

In reference to management factors, decentralized management exists at the agency and that it was difficult to change. Former CIO, John Gauss, stated that that the agency experience “cultural impediments” as reasons why he was unable to implement a central management of IT at the department level or a strong information security programs.

In reference to organizational factors, per recommendations of the VA audit, the VA failed to implement a centralized IT security program to ensure that employee job descriptions contained proper rules about what data they could access and to complete work on intrusion detection systems, infrastructure protection actions, and better access controls. There was a failure to implement a security policy for preventing the employee from taking home sensitive or classified data. According to a document obtained from the Veterans Affairs Committee, the employee did have authorization to take home a laptop and use a software package to work with the data. The documents revealed that the analyst was authorized to use home special software to manipulate data, to accesses social security numbers of veterans, and to remove a laptop and other accessories from the VA building for outside work. It is not clear how stringent the documents were written, but the employee violated the security policy. Apparently, the employee routinely had been transporting data to his home for three years, but unknown to his supervisors.

In reference to technological factors, the company did not implement a security policy of access control where all policies and procedures a company uses to prevent improper access to systems by unauthorized users. To gain access a user must by authorized and authenticated. It is not clear how competent the employee was on the security policy implemented by the VA. It is not clear how much training the employee received on handling classified information. It is not clear whether the employee used special passwords to access the information. Since the data was not encrypted, then the VA failed to implement an encryption policy where plain text or data is transformed into cipher text that cannot be read by anyone other than the user.

Question #3: How effectively did the VA deal with these problems?

Although the VA acknowledged recommendations from the House Committee on Veteran, the CIOs from the VA agreed that a centralized management of all IT programs and activities is required. One of the CIOs wanted a structure where there would be less susceptible to delays, budget overruns, and performance failures. The VA divided its IT operations into two domains. Thus, Congress passed a bill that gave a single executive control over the entire department’s IT spending. The CIO would be raised to rank to undersecretary and the chief information security officer be raised to the assistant secretary level. The VA planned on merging its IT domains to finally centralize IT programs and activities. It is not clear as to how these changes to a new “federated” IT management system based on reducing costs and making the department more efficient will help resolve security issues. The VA made no recommendations of making substantial changes to their security policy so the incident will never happen again. Thus, the effectiveness of how the VA dealt with the problem still vague. The VA needs to make a complete revision of their security policy to prevent any future loss of data from human or technological factors.

Chapter 6 Case Study: Panasonic Creates a Single Version of the Truth from Its Data

Question #1: How did Panasonic's information management problems affect its business performance and ability to execute its strategy? What management organization and technology factors were responsible for those problems?

Panasonic’s operations expanded rapidly throughout Europe, Asia, and North America. In Europe, the company has 15 subsidiaries, 14 manufacturing facilities, and five research and development centers, and seven administrative offices. As a result of having so many different sources of data, the company was unable to manage its data effectively. The product and customer data was inconsistent, duplicate, or incomplete. Different segments of Panasonic used their own data management operations that were isolated or different from other locations within the company. Ultimately, this resulted in a decrease in operational efficiency and higher costs from the company. The data required to launch new products in the market are photos, product specification and description, manuals, pricing data, and point-of-sale marketing information. The employees use this data to select product information that suits the needs of the region or country. As a result, with a lack of an adequate database to manage product data, the company was unable to sustain a substantial profit and strategically market new products.

The CEO’s and managers at Panasonic did not anticipate a substantial market demand for their products. They did not seek their employee feedback to determine how the product data and inventory of services could be better managed to seek the needs of the employees, suppliers, and customers. They did not make a thorough analysis of their 5-year business strategy to access whether the company requires new services or capabilities to achieve their strategic goals. They did not perform an adequate IT strategy, infrastructure, and IT infrastructure cost to determine whether the IT strategy takes into account the firm’s five-year strategic plan. Thus, making an assessment to determine where necessary changes in data management need to be done to improve the company’s efficiency.

Question #2: How did master data management address these problems? How effective was this solution?

Panasonic implemented a “push” model to replace a “pull” model to interpret and sort data. Using a push model, a centralized data bank sends the requested information to employees in marketing and sales instantaneously and consistently. Retail partners and e-commerce vendors who are recipients of the data can view the data at all phases of a product rollout. Thus, specific employees can have better visibility of their products and services. The outcome of this push model is that customers are less likely to become confused while researching Panasonic products. Panasonic’s Europe’s data management was upgraded with master-data-management (MDM) software from IBM’s WebSphere line. The software enabled Panasonic Europe to gain better control of their data and better streamline the business process. The MDM implementation includes the business process analysis, data assessment, data cleansing, and a master data service layer. The MDM allows employees with access to view the company’s data and activities throughout the organization. The outcome of the MDM implementation is that Panasonic Europe could expedite its products to customers much faster than before. The system resulted in an increase in company sales and profits.

Question #3: What challenges did Panasonic face in implementing this solution?

Although Panasonic Europe succeeded in gaining profits, Panasonic North America had challenges of reorganizing workflow and consolidating product information. Panasonics investigated product information for Wal-Mart. Panasonic looked closely at its legacy system to determine its required data. Panasonic worked with IBM to develop an interface apparatus to acquire the data for its repository. Since the information produced by legacy systems were not available in the legacy systems, then Panasonic needed to add newer interfaces then build an application-integration layer for Wal-Mart that could be proven successful.

Another challenge was that the company had multiple facilities that made its own new products. The facilities had their own culture and information infrastructure so they were not necessarily willing to share their data with a centralized database. However, Bob Schwartz made a strong case to the corporate office in Japan that integrating a data management strategy globally would be a major benefit to the company’s infrastructure. Schwartz also needed its manufacturer partners to agree with implementing the MDM technology. Schwartz succeeded in gaining substantial profits by integrating shared data inventory among the vendors such as Best Buy and Circuit City. As a result of the implementation of the MDM, Panasonic has become more competitive and can produce new products for their global market.

Article Review: Southwest Integrated Flight Tracking System (SWIFT)

Southwest Airlines implemented a flight management tool to help manage its flight operations data and to sustain its requirement for data management efficiency. Southwest has about 3,400 daily flights requiring status data on flight route, fuel requirements, and weather information. Thus, airplanes must be in the right place at the right time. If status from flight operations cannot be updated and retrieved, then flights can be delayed or canceled. The outcome of Southwest’s requirement was the first generation of a Southwest Integrated Flight Tracking system (SWIFT). SWIFT is a flight management tool consisting of applications for managing the fleet of aircraft and dispatching flights. Although SWIFT helped to sustain better flight operations, the system could not keep up with its growth. Southwest engineers developed a real-time messaging tool that could interface with SWIFT and ensure the delivery of necessary flight data. As a result, Southwest chose TIBCO SmartSockets. This system provides real-time updates for Southwest’s fleet management and operations. It provides guaranteed message delivery (GMD) and monitoring capabilities. For example, if the system goes down for any reason, the thousands of incoming weather messages from the FAA will be queued in the system rather than being lost. Southwest uses SmartSockets’ GMD features to manage the approximately 17,000 FAA weather messages received each day that are sent out, filed in a database, and then published to several different SWIFT applications. As a result Southwest has become leader in implementing newly developed innovative IT applications to achieve its efficiency and quality of service. This newly implemented technology allows for the airline to become competitive against the larger carriers like United, American, Delta, and US Air.

I like the article because it provides a significant milestone for capturing, storing, sharing, and managing flight operations data in real time. This visibility of data allows for the flight operations personnel to make better decisions for sending airplanes to alternate airports based on unpredictable storms or harsh weather conditions. Overall, this enhanced capability has resulted in improving the safety standard for the airline.

Reference: Success Story. Southwest Airlines Flies High with Real-Time Flight Data. TIBCO Software Inc., 2007. Website: http://www.tibco.com/resources/customers/successstory_southwest.pdf

Article: High Risk Security Threats (And How to Fix Them) from PC World Magazine (March 2009)

This article, which appeared in PC World Magazine (March 2009), provides an informative overview of how to address related threats and provides some good tips on how to protect our privacy. The article is closely related to the ethical and privacy issues discussed in Chapter 4 of Laudon and Laudon. Real threats exist to web browser caches, ATM card skimmers, PC passwords, credit cards, social networks like Facebook. Users need to be cautious with cell phone e-mails and fake anti-malware offers. I like the article because it is closely related to my annual information technology awareness training. It offers some good information on what precautions should be taken to safeguard our home PC. There are 17 threats mentioned in the article, but I will summarize four tips that I think are the most intriguing. They are: (1) Browser Cache, (2) Card Skimmer Scams, (3) Discoverable Passwords, and (4) Fake Anti-Malware Offers.

(1) Browser Cache: One of the threats mentioned is that browser caches keep copies of text, images, and cookies from web pages that are visited. We are susceptible to being profiled based on our browser history. The problem can be fixed by instructing the IE to save its cache to an external drive rather than saving the cache to the hard drive. Another option is to use a software utility program to clean up the cache after searching the browser. The article mentions that Internet Explorer 8 will the first version of IE to secure a web browsing feature called "InPrivate".

(2) Card Skimmer Scams: A second threat is that consumers are susceptible to losing their credit card information to skimmers. Criminals can place a card skimmer device into an ATM at a small convenience store, a bank or gas station. The skimmer's internal memory can retrieve data from the card's magnetic strip while another skimmer can retrieve the ATM's keypad and records the PIN code. Once the data is retrieved, then the criminal can produce a new credit card to make bank withdrawals from the victim's account. The victim has no alternative, but to cancel the bank or credit card account. Identity theft is a difficult issue to resolve because of the time required to contact the credit card companies. The fix recommended is to gain familiarity with the appearance of card slots especially around outside ATM's or gas stations. If you notice an unfamiliar component surrounding the slot, then avoid using the ATM. Make the transaction inside the bank. I have not encountered this problem, but someone at my office told me that her credit card information was stolen after she pumped gas at a local gas station in Oxnard.

(3) Discoverable Passwords: Hackers can break into Yahoo mail accounts or other e-mails that are common to various browsers. Sometimes the passwords can be retrieved by hackers who work on finding out the online security question. If the answers to the security question are too simple, then the criminal might be able to convince the Web mail's service provider to give out the password. Actually, this happened to me at work. I forgot my password so I kept requesting the password from a government website. I forgot the security question, but eventually, I was able to retrieve the security question and the password.

The recommendation is to keep changing the password. There are password management utilities that can help prevent password retrievals. The user should answer the security question with a strong answer that hackers cannot retrieve. What is your favorite team? Just answer the question with something like $df89KDod.

(4) Fake Anti-Malware Offers: The article mentions that PC users can be easily tricked into providing their personal information to on-line scams that display window alert messages. The user might see some familiar product names like DriveCleaner, WinFixer, Antivirus 2009 appear as a warning that the computer is infected by a virus. Although the advirtisement might appear legitimate, the user may be tricked to enter a website a credit card is requred to purchase the DriveCleaner software. When the software is purchased and placed on the PC, the computer is never wiped clean because the program deactivates the Registry keys or corrupts the Windows software. The recommendation is to acquire an anti-malware program from a legitimate provider. Victims of such scams should contact the Federal Trade Commission to alleviate the problem of scamming.

I actually am familiar with the fake anti-malware offers. I was enticed to purchase two anti-virus programs that appeared after I was alerted that my PC acquired a virus. However, the programs never worked well and the advertisement kept appearing on my screen. Although I spent considerable effort to remove the program from my PC, I feel that the advertisement was in fact a virus that invaded my PC. Eventually, I removed it using legitimate program recommended by my supervisor. Luckily, this incident occurred on my home PC. I am more cautious about advertisements appearing out of the blue.

Reference: Andrew Brandt, "High-Risk Security Threats (And How to Fix Them)," PC World, March 2009, Vol. 27 Issue 3, p62-70.

Chapter 4 Case Study: Is the Telephone Company Violating Your Privacy?

Question #1: Do the increased surveillance power and capability of the U.S. government present an ethical dilemma? Explain your answer.

Yes, our privacy rights as U.S. citizens are being challenged because of the government's implementation of the National Security Agency (NSA) to request phone companies to conduct data mining of our phone records. The government's position on acquiring phone records is that it is a necessary action to fight the War on Terror. President Bush made a statement in which he had authorized the NSA to listen on international phone calls of Americans suspected of having involvement to terrorism without a warrant. Although the Electronic Privacy Act of 1986 helps protect our citizen's privacy, it allows for business to turn over calling data to the government only in extreme circumstances. Thus, the government can easily make exceptions to rules made by prior administrations. The dilemma is that our rights to privacy and unreasonable search and seizure under the Fourth Amendment of our government is in jeopardy. Furthermore, no one is taking accountability or consequences for any actions committed by the NSA. President Bush and Vice President Cheney expressed their view that wiretapping is a necessary action against terrorism. President Bush was given a great deal of power to enforce his policy against terrorism so wiretapping has become an accepted entity regardless of our rights to privacy.

Question #2: Apply an ethical analysis to to the issue of the U.S. government's use of telecommunication data to fight terrorism.

An ethical analysis requires 5-steps (pg 136 of Ch4) so I'll break it down and briefly address each step.

1. The facts: Four of the major telecommunications companies turned over records of phone calls made by U.S. citizens in cooperation with the National Security Agent's (NSA's) anti-terrorism program. The companies were AT&T, Verizon Communications, and Bell South. The outcome is that privacy advocates and critics of the Bush Administration made public announcements of their outrage to our invasion of personal privacy. Ethical questions were raised by executives, politicians, activists, and legal experts. Despite many debates that occurred on both sides, the issue was brought up to the Foreign Intelligence Surveillance Court. The issue is whether the 1978 Foreign Intelligence Surveillance Act (FISA) which required that a court must decide whether wiretapping is done in the United States. The court reviewed whether NSA's activities had violated any privacy laws and whether wiretapping fell within the President's power to fight the war on terrorism. The court's rulings and proceedings were done in secret. As a result, the White House had achieved several rulings that favored the President's policy such as the ability to appeal the court's decisions, changing the language to allow for the administration to provide options to their programs, and a guarantee that the agreement does not block the president's power of authority. The bill which would allow FISA to rule over NSA wiretapping has not yet been approved by Congress.

2. Conflict or dilemma: There are two dilemmas: (1) the need to protect U.S. citizens from acts of terrorism and (2) the need for protecting individual privacy.

3. Stakeholders: The government supports the need to protect the U.S. citizens from acts of terrorism. Therefore, the government should take whatever steps necessary to enforce this position. President Bush and Vice President Cheney defended their position by pushing surveillance of phone calls and e-mails without a search warrant. The National Security Agency (NSA) is a stakeholder. AT&T, Verizon, and Bell South are stakeholders because the wish to support the war on terrorism by cooperating fully. The stakeholders who want to protect the privacy of citizens are: U.S. citizens, the Electronic Frontier Foundation (EFF), Senator Dick Durbin, Democrat from Illinois, Senator Arlen Spector, Republican from Pennsylvania, and Senator Lindsey Graham of South Carolina.

4. Options that I can reasonably take: I do not believe that the outcome of the Foreign Intelligence Surveillance Court resulted in anything significant that would favor the side of the right to privacy. It appears that President's Bush made every effort to instill that he was right no matter what anyone else believes. If I had to offer a course of action, I would like to see a committee rather than the President decide on what is necessary to fight the war on terror. A separate independent committee could be made up of members from Congress, the FBI, and ordinary U.S. citizens who are open to voice opinions without any scrutiny from the White House.

5. Potential consequences of my options: I think the decisions made by a committee rather than the White House Administration would have better representation to safe guard our rights to privacy. Decisions could be made without the social and political issues that seem to have challenged our country's constitutional amendments.

Question #5: State your opinion of the agreement reached by the White House and the State Judiciary Committee with regard to the NSA wiretapping program. Is this an effective solution?

I do not believe that agreement made by the White House and the State Judiciary Committee favored the rights of our U.S. citizens of protection of privacy. I understand that the internet companies keep records of our preferred websites and can distribute our information to third parties. Thus, they have the ability to profile us and there is no policy that I know of that can prevent them from turning over our private data to the government. I understand that the cell phone companies have a right to block any text messages that they define as being inappropriate. Policies for this action exist, but their policy is not specifically stated in their contracts to us. As a result, they have already invaded our privacy. The cell phone companies can drop a customer for whatever reason. The Federal Bureau of Investigation is allowed to enter chat rooms and can entice individuals into turning over inappropriate material without their knowing. Thus, we are still under surveillance by the tele-communications company and the government. The situation has not changed unless society continues to make public opposition.