Secure e-Business Infrastructure

abdomendebonairΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 5 μήνες)

188 εμφανίσεις

Secure e
-
Business
Infrastructure

Gerald Trites, CA*CISA, FCA

Professor of Accounting and
Information Systems

St Francis Xavier University

Coverage of Session


What is meant by e
-
Business


What is meant by E
-
Business
Infrastructure


What is meant by e
-
Business Security


Security
-

Risks and Benefits


State of E
-
business Security


Professional Standards


Notes on Wireless Security

Coverage of Session


What is meant by e
-
Business


What is meant by E
-
Business
Infrastructure


What is meant by e
-
Business Security


Security
-

Risks and Benefits


State of E
-
business Security


Professional Standards


Notes on Wireless Security

Definition of e
-
Business


In a very broad and general sense, electronic
business has often been defined as any
business carried out in electronic form.


“e
-
Business is the complex fusion of business
processes, enterprise applications, and
organizational structure necessary to create a
high
-
performance business model.”
-

Kalakota
and Robinson

Components of e
-
Business


Strategic internet commerce


Collaborative commerce


Mobile Commerce


E
-
Business involves a technological and
business infrastructure

Coverage of Session


What is meant by e
-
Business


What is meant by E
-
Business
Infrastructure


What is meant by e
-
Business Security


Security
-

Risks and Benefits


State of E
-
business Security


Professional Standards


Notes on Wireless Security

E
-
business Infrastructure
-

Definitions


Basis for security strategy


Definition
-

IBM paper (pg 15)


Dell
-

http://www.dell.com/us/en/esg/to
pics/products_infrastructure_arc_p
edge_000_internet
-
infra.htm


Infrastructure


a broader
perspective


Hardware and operating systems


Networking infrastructure and technology


Intranets, extranets, shared technologies, policies,
collaboration, including wireless


Enterprise resource planning


Data management
-

Data warehousing
-

Business
intelligence applications


Web infrastructure and Internet applications


Software and related infrastructure

Coverage of Session


What is meant by e
-
Business


What is meant by E
-
Business
Infrastructure


What is meant by e
-
Business Security


Security
-

Risks and Benefits


State of E
-
business Security


Professional Standards


Notes on Wireless Security

What is meant by e
-
Business Security


The infrastructure as a whole must be
secure


IAPS 1013


Para 9


Policies


Risk/Benefit Approach


Administration

Coverage of Session


What is meant by e
-
Business


What is meant by E
-
Business
Infrastructure


What is meant by e
-
Business Security


Security
-

Risks and Benefits


State of E
-
business Security


Professional Standards


Notes on Wireless Security

E
-
Business Risks


We will address the incremental risks of
E
-
business.





Risks that apply to traditional IT also
apply to e
-
business. Some of the controls
to address the incremental risks also
apply to traditional risks.

General e
-
Business
Security Risks


Web/Internet exposure


Access to back office systems


Integration of collaborative systems


Particular importance of encryption,
digital certificates, PKI, etc.


Growth of wireless

E
-
Business Risks


Incomplete transactions because of
network breakdown.





Incomplete or inaccurate transactions
because of cracker interception.

E
-
Business Risks


Unauthorized transactions







Unauthorized access to confidential or
personal information




E
-
business Risks


Parties denying transactions because of
insufficient audit trail



Inadequate participation by customers
and stakeholders because of lack of
confidence in information security,
privacy and system reliability








Embarrassment caused by crackers

Some Industry
Statistics


In the 2003 “Computer Crime and
Security Survey” of the CSI, 56% of the
respondents acknowledged financial
losses due to customer breaches.




In the same survey, 46% of respondents
detected system penetration from the
outside and 45% from the inside.


Some Industry
Statistics


The cost of these incidents is reported at
$201,797,340 USD


In another survey, 17% of CIOs who
experienced “external computer crime”
said the attacks cost their company more
than $1 million (CIO Magazine)

Some Industry
Statistics


The results of a test in 2002 showed
that, on average, it took 34 hours of
forensics research to uncover and
understand an unauthorized entry, while
it took the cracker less than a minute to
crack the system. (Honeynet Project’s
Forensics Challenge)

Internet Security
Issues


Securing the web server






Securing information that travels
between the web server and the user



Protecting the organization’s systems



Protecting the user’s computer

Damages of
Website Cracking


Theft of data.








Web site defacement.






Web site alteration, e.g., changing a
sentence in the terms and conditions of
an e
-
business service, thus exposing a
company to liabilities.

Other Damages of
Cracking


Alteration of business systems






Denial of service

Virus Infection


Propagate by email







Infected through data download




Infected through diskettes or internal file
transfer


Damage Caused by
Viruses


Loss of business information





Down time for mission critical systems



Loss of customer confidence





Unauthorized disclosure of confidential or
personal information

Approach to Security


Identify Risks


Costs of those risks


Costs of covering those risks


Make hard decisions

Coverage of Session


What is meant by e
-
Business


What is meant by E
-
Business
Infrastructure


What is meant by e
-
Business Security


Security
-

Risks and Benefits


State of E
-
business Security


Professional Standards


Notes on Wireless Security

State of E
-
business
Security


Not well defined


Numerous standards


Defining Infrastructure Helps


Incidents are down and spending is
up


good sign

Coverage of Session


What is meant by e
-
Business


What is meant by E
-
Business
Infrastructure


What is meant by e
-
Business Security


Security
-

Risks and Benefits


State of E
-
business Security


Professional Standards


Notes on Wireless Security

International
Pronouncement

IAPS 1013
-

Electronic Commerce: Effect
on the Audit of Financial Statements


http://www.ifac.org/Store/Details.tmpl?SID=
1020391644143062&Cart=10288243744623

Main Points in IAPS 1013


Knowledge of Business


E
-
Business Infrastructure


System and Process Integration


Dependence on Internet


Controls over encryption


Legal issues


Impact on audit evidence

Coverage of Session


What is meant by e
-
Business


What is meant by E
-
Business
Infrastructure


What is meant by e
-
Business Security


Security
-

Risks and Benefits


State of E
-
business Security


Professional Standards


Notes on Wireless Security

Notes on Wireless
Security


Wireless LANs (WiFi)
-

802.11(b)


WEP


Bluetooth


Cell Phones

Wireless Network Security
(802.11)


Native system weak
-

WEP (Wired
Equivalency Protocol)


Default is no WEP security


needs to be
enabled at high encryption level


Set MAC Address Security


Need Protection from


Denial of service attacks


Parking lot attacks


Man
-
in
-
the Middle Attacks


Session Hijacking

WLAN Security Basic
Recommendations


Develop a Security Policy


Enable WEP


Restrict MAC Address Access


Bluetooth Security


Profiles
-

Headset, LAN, PAN


Passkeys (unit and combination)


Authentication and encryption

Conclusions


Needed for e
-
Business Infrastructure Security


Infrastructure Definition and Monitoring


Infrastructure Level Risk/Benefit Evaluation and
Implementation


Process for Ongoing Security Change
Management


Oversight, Resources and Constant Vigilance

Presentation for
Download

http://www.zorba.ca/e
-
Business
Security.htm