RFID Connections: First of all, can you briefly describe the concept behind the services offered by your company?

At a high level, we offer security services for RFID technologies.  The services can really be broken down into the RFID audits and assessments and RFID hacking services.  The audit services and assessments really looks at the entire RFID implementation to understand the potential risk. 

The hacking services are usually scoped to come in and look at specific attack vectors.  A company could call us up to come in and to determine what type of information could be gleaned from a potential hacker in a parking lot or while in transit and things like that. 

Moving on, wondering when most people think of RFID security they tend to focus on technology alone such as the possibility that data on a tag could be intercepted or even changed.  Wondering is that enough or from a broader perspective in your expertise does RFID security really include other concerns?

RFID security encompasses a much broader spectrum than just the technical aspects.  The technical side is good to understand: how the tag should be configured, how the reader should be configured to give you more of a configuration standpoint. 

But what we’ve really got to do is we’ve got to pull back from that and we have to really understand how the entire RFID implementation works.  We have to understand the new data that’s being brought in, the data that’s being shared, who has access to this data -- there's a lot of other things for the operations side that we have to look at and not just the technical side alone. 

Okay Josh, wondering you mentioned operational and management issues.  How great an impact can they have on RFID security?  And are some of these issues more traditional database issues or are some specific to RFID?

It’s really specific to RFID.  When we bring in RFID, it’s going to really multiply the amount of data that’s being collected analyzed and shared, not only in one organization but between organizations, the supply chain for instance.  There’s going to be data that’s collected from the creation of a product all the way to the end user. 

So, that’s going to be a huge increase of the amount of data.  So, to look at operation and management, it is – it’s a very large part of the RFID security efforts.  I mean, just operations, for instance, we need to identify, you know, how will the routers be stored when they’re not in use?  What type of environments should the routers be used in? If you’re routing tags on site, do you need to have some type of protection around that environment so the signals aren’t intercepted – leakage and things like that.  How are the unused tags stored?  Separation of duty, collusion may be an issue in dealing with RFID. 

You know, you’ve got to look at the physical sides of it as well – your areas that use RFID, should that be restricted or monitored.  The thing is, you have to put a lot of thought into it.  It’s not just making sure that you changed the kill and access passwords.  You really have to understand how RFID is going to be implemented and integrated into your environment.  And once you understand that then we can start protecting it.

Josh, your website mentions NIST auditing.  Can you explain what sort of areas NIST recommendations cover, and why are these important?

The NIST (National Institute for Standards and Technology) guidelines are put out by the federal government for federal, state and local government to be used when implementing RFID. 

NIST is pretty technical, I mean, they do get the hands on side of it but it’s not really in-depth technical.  what they do a really good job of is the operational and management side. 

Coming from the federal government side, that’s really policies and procedures driven.  Their approach is put out your policies and procedures first and then audit your environment based on the policies and procedures that you have in place so to determine effectiveness. 

Are some RFID applications at lower risk than others?  In other words, if you were to categorize say the top five types of applications most in need of security audits, wondering what those would be please.

I do believe that some RFID implementations are at higher risk than others.  It depends on the type of data that’s being used and the type of systems that are connected.  Just off the top of my head, supply chain, that’s going to be a very important area to look into, your pharmaceutical supply chain. 

A couple other areas that we really have left untouched for many, many years is RFID access control.  That’s one thing that’s really not mentioned in the NIST and any other documentation or anything that’s really out right now.  No one’s really taking a look at your traditional RFID access control systems.  There’s been some mention of cloning and things like that, but there’s no real research in that area showing what other potential risks may be.

Josh, that was my last question.  So wondering, are there any other points that you think our listeners and readers should be aware of that we haven’t touched on yet today?

Yes, I think that the biggest thing with RFID is it’s going to be security before operations.  Their industry has been built on a certain way of thinking.  It’s always been operations before security in the past.  You know, get it out there, get it working and then we’ll come back and look at security later. 

But I think we’re at a point now that this may provide us a new way of thinking, a new way of implementing new technologies.  If we can understand the risks – the inherent risks brought along with the technology first and how to secure it – it’s really going to help the implementation side of it. 

If we know what to look for and know how to protect it then we can do that earlier. If you look at, say the software development life cycle, for instance, it really states that you want to identify risk earlier in your code before you roll out a big software package. 

And the reason for that is because if you fix these issues early, it really saves the money versus coming back in a year later, two years later and finding all these issues and having to basically rewrite your application.  So, we can apply that to RFID; if we can come out and determine these risks early.  It’s really going to save money and also save a lot of risk later on in the RFID implementation.  So, security before operations is our standpoint. 

About Joshua Perrymon

Josh is CEO PacketFocus and RFIDAudits.com.  For more than ten years, he has been involved in penetration testing, ethical hacking, security auditing and research. Josh has held senior positions and overseen network security at several Fortune 500 companies in America, including banks, chemical manufacturers and federal government agencies.

For the past three years, Josh has specialized in wireless and RFID security and has recently released a first-to-market hands-on RFID audit targeting Management, Operational, and Technological risk. Josh is also writing the RFID chapter for "Hacking Exposed-Linux Edition" and is currently developing

an RFID intrusion detection appliance known as the "RFDefender." Josh hopes to release this device commercially Q4 2007.

In January 2006, Josh moved to Australia and joined leading Internet security company, Pure Hacking, as a senior security consultant performing global penetration tests in 14 countries worldwide. Josh also owns PacketFocus, ( www.packetfocus.com ) An independent security services company. Josh uses this as a Internet medium to publish un-biased, independent research, including the new Live Linux OS ( Labrat v0.8) for OWASP used for application penetration testing. This will be released at

this years OWASP conference in Seattle, Washington. PacketFocus is also the only authorized ISECOM partner in the US and will be delivering training classing beginning Q2 2007.

About RFIDAudits.com

RFIDAudits offers NIST compliant RFID Security Audits. Our services are used to identify potential risk in pilot, pre-production, and production RFID enabled environments. We believe in planning for

security in the early stages of the implementation. However, our auditing services can be utilized at any stage of the business process to identify risks and provide remediation items. Most of our clients insist on involving us early so we can provide RFID security training and policies in the

beginning.

RFIDAudits is also working with ISECOM to develop and deliver RFID Security training and Certification. This certification track will be hands-on, providing students with the knowledge needed to secure the latest RFID enabled environments. The class will also teach students how to perform RFID security audits to assist with compliance efforts.

Share this Story
Digg   del.icio.us   Yahoo   Reddit   Facebook   Google

Related Articles :
No Related Content Found