Update requirements_draft.txt
authorErik Anderson <eanders@pobox.com>
Fri, 12 Jun 2015 14:27:55 -0400
changeset 741 81d06ce0aed4
parent 740 d15f41ac8868
child 742 68c47db9bdbf
Update requirements_draft.txt
latest/requirements/requirements_draft.txt
--- a/latest/requirements/requirements_draft.txt	Wed Jun 10 12:15:20 2015 -0400
+++ b/latest/requirements/requirements_draft.txt	Fri Jun 12 14:27:55 2015 -0400
@@ -302,8 +302,10 @@
      - Authentication is to reduce risks but provides no guarantee of whom the user is.
      - Make use of advances in authentication technology to help reduce risks
      - Authentication by itself is not enough
+	 - Enhanced authentication does not directly help prevent data breaches or identity theft. Only enhanced encryption does that.
   - Data Security
      - Many lessons learned from data breaches.
+	    - Authentication did nothing to protect the information.
         - Many of these breaches are national or superregional in scope, affecting consumers in many states and, frequently, across the country.
         - Identification of privacy risk in information systems is very hard and double so due to non-standard approaches to securing the information. Most information is secured in bulk vs smaller layers that segregate & isolate information loss to anonymized elements that are unusable without being associated with the whole. Example: Breaking the key securing the birthdate of one individual without compromising the individuals name nor all consumer's birthdates.
         - Data anonymization has been an immensely successful strategy for storing of data at rest.
@@ -314,16 +316,17 @@
         - To minimize risk one times keys are necessary to prevent an authorized party of one anonymized record from elevating their permissions by combining a historical static keys from other parties.
         - Identity based authentication combined with revocable roles & time based access controls to information would allow immediate tangible actions to be executed even after the occurrence of an information-exposing event.
         - Users records were stolen resulting in disclosure, publication, and unauthorized reuse of their personal data resulting in identity theft at a massive scale.
-        - A large percentage of data breaches occurred from password/account recovery mechanisms of authorized vendor accounts.
         - Separation of the data security from the application security was viewed as a giant leap forward in event the application or operating system was compromised. This mechanism should be applied on consumer premise as well.
-        - Consumer confidence in electronic payment systems is at an all time low. Millennials trust Bitcoin's more than fiat.
-        - Financial institutions & merchants must accept the consequence of a fraud & security failure but that does not always match who has the ability to correct those security gaps.
+        - Consumer confidence in electronic payment systems is at an all time low. Millennials trust Bitcoin more than fiat.
+        - Financial institutions must accept the consequence of a fraud & security failure but that does not always match who has the ability to correct those security gaps.
           Example: Financial institution has no control over browser security mechanisms, Financial Institution have no control over zero day vulnerabilities in software applications written by 3rd parties. Financial Institutions will have no control of the network security as future payments transition between closed loop systems and open loop system (ie public internet).
+		  Example:  A large percentage of data breaches occurred from authorized vendors and service providers. Vendors are outside the immediate vision of the legally responsible organizations yet have the same or better access to information as the organization to whom they are providing the services. Many vendors provide & maintain critical security components of that organizations information networks. The legally responsible organizations can be held responsible even for the security or process flaws of the vendor.
         - Information about the quality of commercial security products is imperfect and causes incorrect investment decisions
         - Current security depends on the security of each element of a network.
 		- Studies conducted since 2009 show that hackers are attacking private data over payment instruments themselves. Having access to data is allowing the fraudsters to conduct large volumes of smaller value transactions. Smaller transactions may go unnoticed by consumers.
-		- Analysis of data breaches show serious weaknesses in data security at merchants, Depository Financial Institutions, and payment processors. Despite emphasizing larger merchants and recently imposing a system of fines for failing to comply with PCI standards, the PCI process has not prevented security weaknesses that allow large data breaches. Strengthening public oversight and adoption of data security techniques in nonfinancial organizations would supplement improvements to the financial systems.
+		- Analysis of data breaches show serious weaknesses in data security at merchants, Vendors & Service Providers, Depository Financial Institutions, and payment processors. Despite emphasizing larger merchants and recently imposing a system of fines for failing to comply with PCI standards, the PCI process has not prevented security weaknesses that allow large data breaches. Strengthening public oversight and adoption of data security techniques in nonfinancial organizations would supplement improvements to the financial systems.
 		- While many breaches have not exposed large quantities of sensitive data, what is exposed is particularly useful for identity theft.
+		- Data breaches cause a massive loss of consumer confidence. It is unlikely but possible a breach will cause an immediately shifted to alternative means of payment, but doing so could create substantial operational challenges for those payment systems. To allow for efficient payment substitution in support of a smoothly functioning economy, there must also be multiple reliable ways to make and receive electronic payments.
      - All data must be protected at all times from UI entry/display to the very databases that information is stored.
      - Mechanism to measure threat intelligence of information. Threat intelligence must have context if its to be actionable.
      - Data security technology mechanisms must be integrated into an organization’s workflow and risk management practices.
@@ -334,12 +337,22 @@
      - Identity theft and fraud is drastically increasing (25-50% per year) because of personal data sharing mechanisms, data breaches, password/account recovery mechanisms, malware, etc.
 	 - Currently, the Federal Trade Commission and the Consumer Finance Protection Bureau have jurisdiction to enforce data security measures that deter payment fraud at merchants and processors. Legislators have proposed giving the FTC authority not only to enforce data security standards but to set them as well. Federal financial institution regulators may need to speed implementation of their new cybersecurity assessments of financial institutions and strongly emphasize data security.
 	 - Countries that adopted chip-n-pin carts have noticed that fraudsters shifted their efforts to identity fraud, taking over or creating new accounts, and IMOTO (Internet and Mail Order and Telephone Order) causing a dramatic rise in associated fraud losses. History shows that new payment instruments & technologies lack adequate protective measures, such as the Internet, causing a major influx of fraudsters. Adopting chin&pin in the US will have unintended consequences such as flocking to internet based payment mechanisms.
+	 - To keep the costs low and not boil the oceans, the optimal control point should use a least-cost method to enhance security. Meaning the payer’s bank, for example, can best determine whether the payer’s signature on a check is genuine, and the payee’s bank can best determine whether the payee’s endorsement on the check is genuine. Example: We dont need to build a massive government based KYC physical & Biometric signature verification platform when the existing Banks can do this. Over doing the security, identity, KYC/AML, & legal/regulatory structure will create misaligned incentives that are not socially optimal nor justified.
   - Security Framework
      - Security Framework should recognize the global nature of technology yet avoid guidance based on country of origin, which would impede international commerce.  National cybersecurity concerns can be addressed in alignment with international standards.
-     - A data security standard/framework should wrap the details of the underlying technologies yet be flexible to let the industry define how the framework protects the assets within their organizations based on their overall risk management plans. Avoid developing a conformity assessment program, confidence before conformity.
-     - Industry should define how the Framework should be adopted in their organizations based on their overall risk management plans. That approach has generally been well received. 
+	 - Its not possible for any single Government or even entities within one Government to have an exclusive, comprehensive regulatory, or supervisory jurisdiction over such a Framework. Framework must allow security layer(s) that aligns that with their jurisdiction yet not allow information leakage outside their sphere.
+	    US Examples: 
+		  - The Board of Governors of the Federal Reserve System issues certain retail payment regulations, especially regarding checks.
+		  - The Consumer Financial Protection Bureau (CFPB) has jurisdiction over most federal consumer protection regulation for electronic payment transactions.
+		  - The Federal Reserve Board, as well as other federal financial supervisors, conducts exams, and these exams can entail a review of the financial institution’s payment system security precautions, including those of its business partners.
+		  - Worse yet, there are many 3rd party organizations involved in operating networks and providing payment services to the public are banks, but many are not.
+		  - Additional regulators can be involved like nonbanks operating under state money-transmitter licenses are subject to state agency supervision.
+		  - In addition, the CFPB may determine, by rule, that certain nonbanks in markets for consumer financial products and services are larger participants and therefore subject to CFPB supervision.
+		  - A variety of state laws also address consumer rights in instances of identity theft or a data breach. Small and large business can be legally liable for a data breach leading to identity theft. All that KYC information is a honeypot for fraudsters seeking to exploit identity data or sell that information on the black market (Target's data breach revealed a worldwide network for selling card data)
+     - A data security standard/framework should wrap the details of the underlying technologies yet be flexible to let the industry define how the framework protects the assets within their organizations based on their overall risk management plans. Avoid developing a conformity assessment program, confidence before conformity. A good framework will hide the underlying technology specifics so users can solve business cases vs struggling with advanced security systems and challenging cryptographic API's.
+     - Industry should define how the Framework should be adopted in their organizations based on their overall risk management plans. Rather, in striving to achieve efficiency, organizations must balance the security costs to prevent and mitigate fraud against the full set of costs that fraud generates. That approach has generally been well received. 
      - Framework must address privacy and civil liberties methodology. Identity and privacy technology must be integrated with cybersecurity technology. Layer cybersecurity technologies into authentication, authorization, identity, message exchange, and private information sharing mechanisms so identity theft and violation of privacy becomes infeasible.
-     - Framework should be directly referenced as "public policy" to prevent against misaligned incentives. Policymakers cant craft a policy that addresses constantly changing threats, complex interdependencies of todays information networks, nor provide enough details to implement adequate cybersecurity protection. Under some assumptions, strategic uncertainty may lead to more effort to protect than is socially optimal
+     - Framework should be directly referenced as "public policy" to prevent against misaligned incentives. Policymakers cant craft a policy that addresses constantly changing threats, complex interdependencies of todays information networks, nor provide enough details to implement adequate cybersecurity protection. Under some assumptions, strategic uncertainty may lead to more effort to protect than is socially optimal.
      - Framework must address protection of the data itself. A payment and information networks consists of many components—computers, communication channels, software, and users—each subject to attack and requiring defense. The weakness of each component will vary, and attackers will strike vulnerabilities with the highest expected payoff. Engineers who protect these components make judgements about their vulnerability and prioritize each component to determine which weakness to correct. These assessments are difficult, costly, and uncertain, and some weaknesses will likely remain due to undetected vulnerabilities or imprecise assessments (such as underestimates of potential damages). Engineers cant protect all the components all the time so we must work on protecting the underlying data. This requires a data protection framework that spans the UI to the very data storage. A proper framework will allow the web/internet to be used as the payment pipes. Without such a data protection framework it will be impossible to safely use the web/internet because of the uncertainty of security of each network node a transaction goes through.
 	 - Without a proper framework the Engineers will protect a handful of weak network links but not all of them. Over time, the set of weak links will change. A mild amount of uncertainty can lead to additional protection of weaker links where expected losses are high and countermeasures are justified. On the other hand, high uncertainty can lead to no protection: the defender may not know which link is weakest and thus leave all links unprotected.
 	 - Installation of 'corporate malware' is a norm for financial institutions. They install this malware to allow them to follow misaligned compliance incentives. Without protecting the data itself, this approach to following compliance becomes the weakest link in the institutions security and the point of attack.