SmartAdvice: Write IT Plan For Nonprofit That Incorporates Values
Measure the value of IT to a nonprofit in a plan with definable standards, The Advisory Council says. Also, plan around security concerns when implementing RFID; and protect confidential HR information the same way as other company data.
Question B: What security issues do we need to consider in using RFID?
Our advice: Most engineers, especially those involved in the design of cutting-edge technology, fail to appreciate that malicious hackers and high-tech criminals are the largest group of early adopters on the face of the planet. Their goals as early adopters are clear and well understood--find the flaws and exploit them when legitimate users roll out the technology. Somehow this message, one that reverberates throughout the global hacker community, never seems to be heard by the engineering community. Typical engineers, it appears, are incapable of thinking like crooks when analyzing the potential ways their designs and products may be maliciously manipulated. As a result, users are constantly challenged to make the best of a bad situation when it comes to implementing emerging technology in a secure manner, a problem which could have easily been mitigated in the early stages of the design process, had it been considered. Radio-frequency identification is no exception.
Over the next decade RFID will change our world with respect to asset management, inventory tracking, retail point-of-sale, and access control. In the long run, the impact will be positive. In the short term, there will be some serious bumps in the road. If you're considering investing in this technology, here are some key points you need to consider:
There are two types of RFID tags when it comes to cost: cheap and expensive. As you would imagine, the cheap tags have the majority of security flaws, while the expensive tags, those that support point-to-point encryption (ISO 14443 / DESFire) and a PKI key exchange, are the ones less likely to be maliciously manipulated.
Unfortunately, cheap tags rule the day in today's deployments, hence the problem at hand--a problem that pivots on four critical issues: First, RFID tag content, content that might include an electronic product code (EPC) or price, can be modified in the field. Second, cheap tags can be read and modified by hand-held devices such as a PDA equipped with a $220 compact-flash RFID read/write plug-in. Third, the hacker community already has embraced and is distributing free software with this capability. Fourth, the entire RFID use process is open to exploitation. Combine these factors and you have a crime waiting to happen.
Crimes Waiting To Happen
The most obvious crime is a new form of shoplifting, where the EPC codes are changed to indicate a lower-price item, and then paid for at an automated self-service checkout. Another, less-obvious problem, that requires no modification to the tag, is one where your competitor surreptitiously scans your merchandize to catalog what's on your shelves. On a similar tangent, rumors within law enforcement have reported that hijackers of cargo trucks are already using RFID readers to help determine which shipping pallets are worth stealing. Another is a form of denial of service, where EPC tag data is changed to random data, forcing a time-consuming manual inventory to correct the problem. But most serious is the opportunity for a criminal to get close to a person and use a hidden RFID reader to capture the content of the person's access-control badge. Minor effort is required to duplicate the content given the tools that exist, providing the criminal with the ability to circumvent physical access controls if the RFID badge is the only requirement for authorized access.
As mentioned previously, RFID has enormous future potential, but those implementing this technology need to realize that the hackers and criminals of the world see the same potential in the short term, only from a different perspective.
The Agile ArchiveWhen it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
2014 Analytics, BI, and Information Management SurveyITís tried for years to simplify data analytics and business intelligence efforts. Have visual analysis tools and Hadoop and NoSQL databases helped? Respondents to our 2014 InformationWeek Analytics, Business Intelligence, and Information Management Survey have a mixed outlook.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.