Forwarded From: JohnE37179@aol.com
System Security
The Failed Paradigm
Current information system security strategies revolve around encryption
and some form of password. This approach, even if perfect, only protects
transmission and transcription of information. Two elements are missing:
the truth of the information transmitted and the identity of the users of
the system. If the identity of a user is not absolutely confirmed at the
time of enrollment even a perfect system will only confirm a potentially
false identity - resulting in a insecure system.
The paradigm of accuracy in information systems is limited to
transcription and transmission. The truth of content is not considered.
The result of these approaches is the rapid growth of identity fraud.
Identity fraud appears in many guises. The acquisition of a false
identification is relatively simple and the simplest of hacker techniques
- social engineering - is all it may take to break the most technically
sophisticated system.
Why would someone trying to break a system try to break an encryption code
when all they need do is a simple deception of identity?
Are we not all deceiving ourselves with the race to build the strongest
encryption and passwords without working on the more basic problems of
user identity and message truth?
The response I get when I raise this question is either that this is the
"user's" problem or it is a "wet brain" problem and not susceptible to a
computational solution. Both these responses ignore or misclassify the
problem in an attempt to finesse a solution.
There are information strategies that when coupled with existing
technology can both absolutely determine and verify an individual's
identity and determine the truth of message content. While this is an
emerging solution, it has had over 16 million commercial uses and in tests
has demonstrated error rates of fewer than one in 22 million.
John Ellingson
President, e-Dentification, Ltd.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:21:24 1999