[WG-HealthIDAssurance] [ARB] [WG-IDAssurance] [WG-P3] Trust frameworks at risk ...

Faut, Nathan E nfaut at kpmg.com
Thu Feb 21 12:30:48 EST 2013


Richard,

I noted the following conceptual snippets in the article I sent:

*         "consequences of failed trust from malicious attacks that exploit cryptographic key and certificate management failures"

*         "half of the companies surveyed in the report did not know how many keys and certificates they had, or where they were stored"

*         "Cyber-criminals understand how poorly organizations manage their trust infrastructure"

*         '"Cyber criminals understand how fragile our ability to control trust has become and, as a result, they continue to target failed key and certificate management," said Hudson.'

*         'If trust is the "number one vulnerability,"'

And translated these concepts to:

*         CA assessments are not doing their job - finding and reporting the risks that improperly created or ineffectively managed CAs can cause the organization

*         Organizations are not paying to have their CAs assessed and therefore cannot acknowledge and understand which managerial and technical vulnerabilities and risks are being ignored

*         Potentially worse, if they are assessed, the assessment is not thorough

*         In any of these cases the foundational framework either was not used or did not properly inform the assessment and therefore the management of the CA.

And that puts the adoption and use of trust frameworks at risk. The heading was the conclusion after my reading 'between the lines.'

-Nathan
=-=-=-=-=-=-=-=-
Nathan Faut, Manager, IT Attestation, Federal Practice, KPMG LLP
1676 International Drive
Suite 1200
Mclean, VA 22102
office: 703-286-6883
mobile: 301-335-2656
FAX: 202-403-3126

From: arb-bounces at kantarainitiative.org [mailto:arb-bounces at kantarainitiative.org] On Behalf Of Richard G. WILSHER (@Zygma)
Sent: Thursday, February 21, 2013 12:12 PM
To: 'IAWG'; 'P3WG'; arb at kantarainitiative.org; wg-healthidassurance at kantarainitiative.org
Cc: DeVaul, James W
Subject: Re: [ARB] [WG-IDAssurance] [WG-P3] Trust frameworks at risk ...

Interesting articles, although I find the numbers hard to believe (i.e. exaggerated).  But, Nathan, where does this put trust frameworks per se at risk?  (The articles do not use the word 'framework' - I'm assuming either you injected it or you clipped it from LinkedIn (and what does that tell you)?)  Isn't it the trust within the organisations that appears to be under threat, but can't trust framework providers apply this knowledge to enhance the criteria they apply and thereby the practices which their assessors will specifically address?  Because of the pervasive use of PKI I suspect that this dilemma has ramifications within the infrastructure supporting More than just LoA4, where the PKI is 'out-front' because it is the technology of the primary credentials.

R

Richard G. WILSHER
Founder & CEO
[Description: cid:image001.png at 01CDA23E.6E8F4E90]
O:  +1 714 965 99 42
M: +1 714 797 99 42
E:   RGW at Zygma.biz<mailto:RGW at Zygma.biz>
W:  www.Zygma.biz<http://www.zygma.biz/>

From: wg-idassurance-bounces at kantarainitiative.org<mailto:wg-idassurance-bounces at kantarainitiative.org> [mailto:wg-idassurance-bounces at kantarainitiative.org] On Behalf Of j stollman
Sent: February 21, 2013 16:42
To: Faut, Nathan E
Cc: DeVaul, James W; IAWG; P3WG; arb at kantarainitiative.org<mailto:arb at kantarainitiative.org>; wg-healthidassurance at kantarainitiative.org<mailto:wg-healthidassurance at kantarainitiative.org>
Subject: Re: [WG-IDAssurance] [WG-P3] Trust frameworks at risk ...

Nathan,

Thanks for the heads up.

Here's the Ponemon Institute's explanation of their methodology in coming up with their shockingly high figures:  http://www.ponemon.org/blog/understanding-the-methodology-and-staggering-costs-in-the-annual-cost-of-failed-trust-report

Jeff
On Thu, Feb 21, 2013 at 11:21 AM, Faut, Nathan E <nfaut at kpmg.com<mailto:nfaut at kpmg.com>> wrote:
Colleagues -

I saw this article through LinkedIn - I offer it as thought-provoking material and without the LinkedIn overhead:

http://www.securityweek.com/trust-based-attacks-against-ssh-ssl-cost-firms-big-money-report


-Nathan
=-=-=-=-=-=-=-=-
Nathan Faut
Manager, IT Attestation, Federal
KPMG LLP
1676 International Drive
Suite 1200
Mclean, VA 22102
office: 703-286-6883<tel:703-286-6883>
mobile: 301-335-2656<tel:301-335-2656>




***********************************************************************

The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter.

***********************************************************************



_______________________________________________
WG-P3 mailing list
WG-P3 at kantarainitiative.org<mailto:WG-P3 at kantarainitiative.org>
http://kantarainitiative.org/mailman/listinfo/wg-p3



--
Jeff Stollman
stollman.j at gmail.com<mailto:stollman.j at gmail.com>
1 202.683.8699

Truth never triumphs - its opponents just die out.
Science advances one funeral at a time.
                                    Max Planck

***********************************************************************
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter.
***********************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-healthidassurance/attachments/20130221/206e2014/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10010 bytes
Desc: image001.png
Url : http://kantarainitiative.org/pipermail/wg-healthidassurance/attachments/20130221/206e2014/attachment-0001.png 


More information about the WG-HealthIDAssurance mailing list