- 201 - ENUMERATING RFID NETWORKS Brett J. L. Landry, PhD, CISSP, CRISC Center for Cybersecurity Education College of Business, University of Dallas 7460 Warren Parwkay, Suite 100 972-636-8633 blandry@gsm.udallas.edu Sandra J. Blanke, PhD, CISSP, CRISC Center for Cybersecurity Education College of Business, University of Dallas 7460 Warren Parwkay, Suite 100 972-265-5700 sblanke@gsm.udallas.edu ABSTRACT Organizations that adopt RFID can have tremendous gains in both efficiency and effectiveness. However, when viruses, worms, spyware, Trojan horses and hackers target these resources, the organization can cease to function. Therefore, RFID based networks should therefore be secure, private, and separate from other computing resources. It is important to remember that while RFID is just a tag, the tag, the reader, and the infrastructure can all be compromised. This paper examines the threats that can occur against the RFID reader and backend systems as well as the affect of rogue readers. INTRODUCTION It is important to realize that the deployment of RFID has issues beyond deployment cost. Network attacks have changed over the last decade from hackers looking for fame and glory to global organized crime rings. For example, in 2008, the FBI had infiltrated the Dark Market.ws website with over 2500 world wide members that was used as a brokerage to buy and sell stolen credit cards (McMillan, 2008). There is nothing to stop criminals from setting up web sites to trade and sell collected RFID data. These issues are vulnerabilities and include the loss of critical information either from destruction, alteration, disclosure, or availability. These concepts mirror the information security / assurance tenants of Confidentiality, Integrity, Availability (CIA) as well as Non Repudiation. Confidentiality is a security principle that works to ensure that information is not disclosed to unauthorized individuals (Harris, 2010). When unauthorized users access information they are not authorized to access this is a vulnerability and places the organization and its’ stakeholders at risk. In today’s compliance centric environment, organizations have to take the confidentiality of their data seriously. Data breaches that include Personal Identifiable Information (PII), also known as Non-Public Information (NPI), that are not encrypted have to be reported. These breaches are the efforts of external hackers attacking external facing and internal systems as well as disgruntled employees. The problem with a loss of confidential information is that once it is released, it is not possible to gather it up and make it private again. If the information is posted