HIPS Series > Protecting Your Identity

How to take this course

What does protecting your identity have to do with that?  Everything.  Identity security is the cornerstone of protecting all of an organization's assets -- not just information systems and data, but physical, financial and human resources as well. 

We'll explain why in this course, and give you simple steps for keeping your own identity secure at work.

Learning to protect your identity at work also has personal benefits.  Identity theft is one of the fastest-growing crimes worldwide.  Millions of persons are victims of this type of fraud each year.  It can take years to recover from damage to finances and reputation. 

What you learn here can protect you from identity theft in your personal transactions too.

What is the goal of a security system?  One answer is that security aims to let in only the "right people," and keep out the "wrong people."  That's true when we are talking about limiting access to physical spaces like buildings.  It's also true when we are concerned with access to virtual spaces like the files on a computer or a destination on the Internet. 

Sometimes this task is called "controlling the perimeter."

That's not all.  A security system must also make sure the people that have been let in -- gotten "inside the perimeter" -- do only the "right things" while inside. 

Identity security, combined with other security tools, addresses this as well.  We'll discuss how in the second part of this module.  But let's begin with the problem of figuring out who the "right people" are.

In our everyday lives, we do identity checks all the time.  Familiar living things -- family, friends, pets, co-workers -- get identified as "right" because they look, sound, smell and behave in the ways we expect.  This kind of assessment is so ordinary we're often not even conscious of it.

We must continually assess strangers' identities too.  For example, what if someone arrived at your house, claiming to be from the phone company?  You'd use your senses and your common sense to assess this claim, based on the factors like appearance, possessions, and knowledge: 

• Does the person have a valid ID badge? 
• How about a phone company uniform, vehicle and other equipment? 
• How about a plausible reason for the visit? 

Since the focus is on information security, this course concentrates on identity in the virtual world.  That doesn't mean physical security is unimportant.  Quite the opposite.  A secure physical environment is as critical to protecting computing and networking equipment as it is to securing an organization's other assets.

Your office may have physical security measures like door locks, alarms, surveillance cameras, and security officers on patrol.  But you too are a part of protecting the physical perimeter.  Always keep an eye out for persons who appear to be in the wrong place.  Don't be afraid to (politely) challenge a stranger for identification.  Don't be too busy to make sure a stranger gets to the right place, and stays out of the wrong ones.

Besides watching out for out-of-place persons, how can you help secure your organization's physical world?  By protecting the things that control physical access: ID badges, magnetic and smart-card keys, conventional (metal) keys, combination lock codes, and so on.

Make sure you keep all of these secure to prevent theft -- either with you or in a protected place.  File a report immediately with the security department about anything that is stolen or lost. 

Rapid reporting protects the organization.  Locks can be changed, card-keys deactivated, and other steps taken to limit potential damage.  It also protects you.  A person who has these things is capable of assuming your identity, and anything they do may appear to have been done by you.

Modern life offers the convenience of not having to be physically present to interact with others.  Many kinds of transactions can now be completed via phone, fax, email or visiting a Web site.

This convenience opens up a Pandora's box of problems.  It is difficult enough to establish the identity of a stranger standing right in front of you.  It's much more difficult to identify someone who exists only as a voice on the telephone, a piece of paper rolling out of a fax machine, or a message in an email or postal letter. 

Identity theft schemes like phishing are a much greater problem today as a consequence.

Whenever you must identify someone in such a "virtual" context, you need to exercise extra care.

Before exchanging information over a medium like the telephone, organizations such as banks and credit card issuers try to verify who you are.  Typically this is done by asking questions about things only you should know, such as your Social Security number (SSN). 

You may not have thought about it, but you also have a security task in such circumstances. You must try to be sure you're actually dealing with the bank or credit card company, and not an imposter.  You need to be especially cautious if the contact was not initiated by you.

For your workplace transactions using telephone, fax, mail or email, you must exercise care to be sure you're dealing with the right organization and the right person.  That means always verifying phone numbers and addresses.  It may also mean asking questions to verify identity.

Be aware that in these situations, identification is often based entirely on factual knowledge -- of a SSN, account number, address, birth date, parent's name, pre-established PIN number or password.   You can't establish identity by appearance or behavior when a person isn't physically present.  And there's usually no way to present a physical item, like a driver's license or other ID card.

This dependence on personal data for identity means you must always be careful about disclosing it -- whether it's information about you or about a customer. 

You also need to be careful about storing or disposing of such data.   Failure to do so sets you or the customer up for identity theft.  (Failure to exercise due care could also set you or your organization up for a lawsuit.)

Before you can use a shared computer system or a secure web site, you usually have to provide information.  Specifically, you must answer a pair of questions to verify your identity -- providing your user-ID and an associated password.  

To protect your identity, and the security of the shared computer system or secure Web site, it's critical to pick good passwords and protect them appropriately.  (For tips, take the Picking and Protecting Passwords course.) 

If you think a password has been compromised, change it immediately.  In most cases, it's recommended that you also report the matter to the appropriate security department.  Doing so may prevent further damage -- and, as with a key or ID badge, protect you from blame for damage already done.

Some computer systems now rely on smart cards or other kinds of "access token" to establish identity.  An access token must be put through, or near to, a reader or equivalent sensor device. 

Sometimes it's also necessary to enter a PIN number or password, as with ATM cards.  This is called "two-factor" authentication -- because it's based on something you have (the card token) and something you know (the PIN).

As with old-fashioned metal keys, it's critical to protect access tokens by keeping them with you or in a safe place.  Just as with a compromised password, it's critical to notify the appropriate security department if a token is lost or stolen, so that it can be deactivated.  It's particularly critical if it's a "one-factor" token like an old-fashioned metal key or a card that must simply be swiped (no PIN needed).

Some computer systems now rely on biometric identification.  Devices exist to take measurements of faces, eyes, fingers, palms, and just about any other subset of bodies you could envision.  Some systems can analyze voices, handwritten signatures, the way a person walks, and even the way someone smells.

Biometric identification has a great advantage over the other methods: there's nothing to lose or forget!  

So, why don't we use fingerprints and retinal scans for identification now, instead of easily-forgotten passwords and easily lost cards and keys?  For the moment, biometric IDs still suffer from accuracy and cost disadvantages, but expect them to become common for computer access and for identification in daily life.

So far, we've focused on letting only the "right people" into information systems, and keeping the "wrong people" out.  We also need to limit what particular persons can do -- such as what programs they are allowed to run, or what files they can view, modify or delete. 

Measures to enforce such limits are called access controls. 

Why do we need them?  First, it's not a perfect world.  Sometimes despite our best efforts the wrong people will get past our identification barriers.  We need some way to limit damage when this occurs. 

Second, even if we let only the right people in, they can still make mistakes despite the best of intentions.  (And not everyone has good intentions -- workplace crimes are most commonly committed by insiders.)

All access controls have a common aim: They try to limit each person to what is needed to get his/her work done.  In health care settings, this is sometimes called the minimum necessary access to information.  If you have a military background, you may be more familiar with terms like "compartments" and "clearance."

If you find that you or someone you supervise needs more access privileges to get a job done, make a formal request for that.  Do not "borrow" the identity of someone with greater access privileges -- even if it's just "temporary."  (It can be considered a crime.) 

Alternatively, if you find that you or someone you supervise has been given more access privileges than really needed, make a request to have those reduced.  It's safer!

Identification barriers and access controls exist to prevent problems.  As an additional layer of protection, computer systems monitor usage and keep records of "who did what."  This activity log is sometimes called an audit trail -- a term borrowed from accounting.

Monitoring and logging helps detect security problems that weren't prevented by identity and access controls.  Always be aware that everything you do on a computer system may be recorded and subject to inspection for security purposes. 

This is another reason to protect your identity, and report promptly if you think your identity may have been compromised:  Any activity that occurs using your identity will be recorded as having been done by you.

Audit trails can contain a lot of data -- many thousands of records just for a single day of system activity.  So they are typically "read" by a computer program that flags suspicious behavior for humans to analyze later.

Sometimes you can read part of your audit trail information yourself.  For example, some systems inform you at login when you last logged in; or they identify the last time you used or modified a particular data file. 

Get in the habit of looking at this information, to be sure it reflects something you did.  If activity data doesn't seem right, it may mean your identity has been compromised.

(For exactly the same reasons, monitoring your own financial records can detect identity theft.)

No identification system can be perfect.   Passwords get compromised; card-keys get lost, biometric sensors get fooled.  That's why we have the backup protections of access controls, monitoring and audit trails.

A security system also cannot be perfect in another way:  You -- very much in the category of "right people" to be sure -- may sometimes have trouble getting past security barriers. 

Maybe you will forget your password, or mistype it so many times that a system "locks you out."  Maybe you will forget to bring your ID or card-key to work.  Maybe you will misplace your USB or other computer access token.  Please be patient, and remember that the inconvenience you experience is essential for security. 

Even when everything is working perfectly, identification processes still require a bit of time and inconvenience.  Audit trail recording processes require surveillance, which may feel like an invasion of privacy. 

We know it can be a pain to type in a password or PIN, swipe a card-key through a reader, put your finger or palm on a scanner, or present your ID to a security guard.  We know it can be annoying (at best) to contemplate that other persons are monitoring what you do.

Nothing in life is free.  This is the price of keeping information -- and everything else -- secure.  The price of insecurity is much higher.

(1) Identity can be established by what you "are" -- physical characteristics, behavior, etc.  While it's not yet common for machines, it's an essential technique for humans to detect intruders and other "out of place" persons.

(2) Identity can be established by what you know -- a password, PIN or personal data like an SSN.  Protect this information.  Be very careful about how and with whom you share it. 

(3) Identity can be established by what you have -- metal keys, card-keys, ID badges, USB and other computer access tokens.  Protect these from loss or theft, and be careful about sharing.

(4) Audit trails log activity to detect problems.  Be aware you're being monitored.  When you can, use audit trail data yourself to detect problems.

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The quiz for this course is here.

•  •  •  •  •