ECommerce Models

1
E-Commerce Models Security

• Risks and Controls
• CSE/CJ 429
• September 26, 2006
• Severin Grabski
• Department of Accounting Information Systems

2
Session Readings

• How eCommerce Works (http//www.howstuffworks.com/
  ecommerce.htm)
• Sarbanes-Oxley Compliance
• (http//www.informit.com/articles/article.asp?p3
  37041 )
• How Credit Cards Work (thru on-line safety)
• (http//money.howstuffworks.com/credit-card.htm)
• How Encryption Works
• (http//computer.howstuffworks.com/encryption.htm
  )
• How Identity Theft Works
• (http//computer.howstuffworks.com/identity-theft
  .htm)
• Urban Legends (Click on Computers)
• Viruses (http//www.snopes.com/computer/computer.a
  sp/)

3
Additional Readings

• COSO Publications
• http//www.coso.org/publications.htm
• ISACA (CobiT)
• http//www.isaca.org/template.cfm?sectionhome
• SOX, COSO CobiT Mapping
• http//www.theiia.org/itaudit/index.cfm?fuseaction
  forumfid5553
• CIO Today
• http//www.cio-today.com/news/FTC-Shuts-Down-Major
  -Spyware-Ring/story.xhtml?story_id03000118ALEU

4
Session Outline

• IT Governance
• SOX, COSO CobiT
• eCommerce
• B2C
• B2B
• Security Lapses
• Security Techniques

5
Importance of Private Sector CyberSecurity

• The private sector owns or manages a large number
  of critical infrastructures
• Banking and finance
• Electricity
• Oil and gas production
• Telecommunications
• Transportation
• Water supply
• Nearly everything the U.S. military does depends
  on computer-driven civilian information networks.
• About 95 of military communications travel over
  the same networks used by civilians

6
IT Governance

• Enterprise leaders are responsible to ensure
  that IT
• Aligned with the business
• Delivers value
• Performance is measured
• Resources properly allocated
• Risks mitigated

7
IT Governance

• Governance structure
• Partially a result of perceived need
• Board of Directors, Top Management
• Partially a result of regulations
• Sarbanes-Oxley Act

8
Need for IT Governance

• IT is important for delivering the organizations
  strategy
• Organizations are suffering from IT operational
  problems
• 75 of the CIOs perceive need for better IT
  governance
• IT governance helps provide IT value manage IT
  risks
• IT governance frameworks used to align IT
  strategy to business strategy
• IT governance used to manage IT operational risks

9
Sarbanes-Oxley Act

• Regulations on Publicly Traded Firms
• The Sarbanes-Oxley Act of 2002 is designed to
  ensure the following within a business
• There are sufficient controls to prevent fraud,
  misuse, and/or loss of financial
  data/transactions.
• There are controls to enable speedy detection if
  and when such problems happen.
• Effective action is taken to limit the effects of
  such problems.
• In many companies, most of these controls are
  IT-based.

10
Sorting the SOX (Lions Tigers Bears OH MY!)

• SOX Sections
• 302
• Requires managements quarterly certification of
  financial reporting controls and disclosure
  controls procedures
• 404
• Requires management of public companies take
  responsibility to develop maintain effective
  system of internal controls
• Reporting on the systems effectiveness.
• 906
• Rapid (within 4 business days) disclosure of
  material changes in the financial condition or
  operations of the issuer
• 22 triggering events detailed

11
SOX 302

• The signing officers (CEO, CFO)
• Are responsible for establishing and maintaining
  internal controls
• Have designed such internal controls to ensure
  that material information to the issuer and its
  consolidated subsidiaries is made to such
  officers by others within those entities,
  particularly during the period in which the
  periodic reports are prepared
• Have evaluated the effectiveness of the issuers
  internal controls an of a date within 90 days
  prior to the report and
• Have presented in the report their conclusions
  about the effectiveness of their internal
  controls based upon their evaluation as of that
  date.
• The signing offers have disclosed to the auditors
  and audit committee of the Board of Directors
• All significant deficiencies in the design or
  operation of internal controls that could
  adversely affect the issuers ability to record,
  process, summarize, and report financial data and
  have identified for the issuers auditors any
  material weaknesses in internal controls and
• Any fraud, whether or not material, that involves
  management or other employees who have a
  significant role in the issuer's internal
  control.

12
SOX Compliance

• Companies must demonstrate conclusively that they
  have the following in place
• Macro Level Anti-Fraud Analysis
• Macro Level Assessment Against a Control Model
• COSO
• Sufficiency of IT General Controls
• COSO, COBIT
• Reliable 10-K, 10-Q, Notes, Supplemental
  Disclosures
• COSO
• Material Weakness in any of the above requires
  External Auditors to conclude that the disclosure
  controls overall are not effective and give a
  negative internal controls opinion

13
Cost of SOX Compliance

• Compliance spending in 2004 estimated at 5.5B
• Companies 5B Sales 10.5M SOX Cost
• Average audit fees up 45 (13M)
• GE Audit fees increased 41 (78M)
• 33M SOX 404
• United Technologies Audit fees doubled 20M
• Yellow Roadway - Audit fees doubled 4M
• 10M for SOX Documentation

14
Cost of SOX Compliance
Smaller companies are pretty screwed by the
whole process because the SarbOx requirements are
going to really cost them money they can't
possibly make up in more efficient operations.
Larger companies are so screwed up in general
that the sorts of things they need to do to
improve their financial control is likely to have
positive knock on effects on financial operations
beyond audit and compliance. How companies
should handle Sarbanes-Oxley compliances Friday
April 22, 2005 (0200 PM GMT) Melanie
Hollands http//management.itmanagersjournal.com/m
anagement/05/04/22/0340218.shtml
15
SOX Compliance IT Controls

• Extent of documentation testing requires
  judgment
• Management must document and test
• Relevant General IT controls
• Controls over program development, program
  changes, computer operations, and access to
  programs and data
• Appropriate Application-level controls that are
  designed to ensure that financial information
  generated from a company's application systems
  can be relied upon.
• For purposes of Section 404 assessment, not
  necessary to test general IT controls that do not
  pertain to financial reporting
• Not appropriate to exclude new IT systems and
  upgrades from the scope of its assessment of
  internal control over financial reporting

Staff Statement on Management's Report on
Internal Control Over Financial Reporting (16 May
2005) http//www.sec.gov/info/accountants/stafficr
eporting.htm
16
Risk Type and IT Controls
OS Security DB Security Network
Security Application Security

Sarbanes-Oxley Scope
Anti-Virus Anti-Spam Email / IM
Security Bluetooth Security
Data Privacy Data Classification
Incident Response End User Awareness
Disaster Recovery and Business Continuity Planning
17
Internal Controls
A Companys internal control structure is
defined at several layers
Business Processes / Classes of Transactions
Process A
Process B
Process C
Process A
Process B
Process C
Change Management
Financial Applications
Access Management
Application A
Application B
IT Operations
IT Infrastructure Services
Database
Operating System
Network
18
Sarbanes-Oxley Act

• General computer controls impact all IT systems.
  The following types of controls are usually
  included
• Security policies, standards, and processes,
  e.g.
• Authentication/access controls,
  Laptop/workstation security
• Antivirus policies, Password policies
• Firewall/VPN policies, Intrusion prevention and
  detection policies
• Physical access security
• Internet usage policies (see "Why You Need a
  Company Policy on Internet Use")
• Incident management policies and procedures
• Hardware/software configuration, installation,
  testing, management standards, policies, and
  procedures
• Service-level agreement policies
• Coding standards/reviews, Testing
  procedures/policies

19
Sarbanes-Oxley Act

• IT security should form a large part of the
  audit process. It's important to demonstrate
  that policies are in place are being followed
  effectively in the following areas
• Physical security
• How people get access to the building (how ID
  cards are issued, security guards are vetted,
  etc.)
• Where the computer equipment is kept and how it's
  secured from theft, fire, flood
• Policies dictating physical security
• Laptop (and wireless devices) and workstation
  physical security
• Intrusion detection/prevention
• Which IDS/IPS software is running on which
  network components
• Who is alerted when intrusions are detected
• Policy for handling intrusions, etc.

20
Sarbanes-Oxley Act

• Additional General IT Controls
• Logging
• Error logging
• Incident logging
• Reviews of logs
• Policy for acting on unusual activities
• Access to logs/changes to logs
• Antivirus/spyware policy
• Firewall policies for content filtering, closing
  ports, etc.
• (Music) CDs (DRM software issues!)
• Network antivirus policy
• Email antivirus
• PC antivirus setup
• Server antivirus
• Communication to users to educate them in how to
  deal with viruses
• Remote-access policy
• VPN policy
• Access via modem/DSL/Bluetooth/wireless, etc.

21
Sarbanes-Oxley Act

• Additional General IT Controls
• Configuration policy
• Firewall/router/hub setups to ensure that "back
  doors" are closed, patches are installed, etc.
• Server (especially web server) setup policy to
  ensure that potentially dangerous protocols are
  turned off (such as Telnet and FTP)
• Control over installation of new software
  (testing of software in lab conditions before
  installation)
• Inventory to ensure that someone knows which
  network components exist and where they are, how
  they're configured and changed, etc.
• Authentication/access controls
• Regular vulnerability assessmentto include port
  scanning, checking for software patches that are
  not up to date, checking for antivirus updates
  that are not in place, and so on

22
New Laws Guidelines

• Energy Policy Act of 2005
• Improve security in power companies. The act
  calls for the implementation of mandatory
  reliability standards in bulk-power systems
  operating interconnected, electric-energy,
  transmission networks. Reliability standards and
  cybersecurity protection standards to help thwart
  online attacks are included.
• NERC (North American Electrical Reliability
  Council) cybersecurity standards ( CIP-002-1 to
  CIP-009-1 ). Power companies using bulk
  electricity systems properly identify and protect
  critical online assets that control/impact their
  performance. Companies operating bulk-power
  systems will be required to conduct extensive
  background checks on employees working in IT
  security. The cybersecurity standards address
• Critical online asset protection.
• Security of management controls and systems.
• Hiring and training of power plant personnel.
• Incident reporting.
• Disaster response planning.
• Creation of recovery plans.

23
More Laws Guidelines

• U.S. Federal Information Security Management Act
  (FISMA) of 2002 - law governing Federal
  information security
• http//csrc.nist.gov/policies/FISMA-final.pdfse
  arch'fisma
• DoD Security Technical Implementation Guidance
  http//iase.disa.mil/stigs/index.html
• IT Security Compliance (IIA)
• http//www.theiia.org/itaudit/index.cfm?fuseaction
  forumfid5670
• Tips for PC Security http//www.pcmag.com/article2
  /0,1895,1880542,00.asp

24
Theoretical Business IT Security Approach

• Take IT Governance Perspective
• Look at Cost/Benefit Trade-off
• Looking at Convergence of entire security area
  (physical computer)

25
Actual Business IT Security Approach

• Recommended by staff
• What others are doing
• What we can afford
• Told to by auditors
• Fits in portfolio and risk appetite

26
Recommended process for selecting IS security
projects
Does the project meet the qualitative criteria
required to qualify for financial evaluation?
Pursue alternative projects
No
Yes
No
Perform DCF analysis to quantify the expected
value
No
Is the overall risk of the IS project portfolio
at acceptable levels after inclusion of this
project?
Assess the contribution of this projects risk to
the risk of the IS project portfolio
Does this project provide real options?
No
Does the project generate positive value?
Yes
Yes
Yes
Apply options valuation to quantify the real
option embedded
Propose the project for top managements approval
Yes
27
Key Control Concepts

• Internal control (i.e., security) is a process
• A means to an end!
• Internal control is effected by people
• It is not policies forms!
• Internal control can be expected to provide
  reasonable assurance not absolute assurance
• Only as strong as the weakest link!!!

28
Why Internal Controls?

• To provide a reasonable level of assurance that
  everything is done properly and that no
  unauthorized actions occur
• Ensure managements policies are followed
• Ensure valid data (Record, Maintain, Report)
• Ensure appropriate data provided to authorized
  users (Employees, Customers, Vendors,
  Stockholders, Regulatory Agencies)
• Ensure Assets are valued/protected/used in an
  appropriate manner
• Ensure that Business Events are properly valued
  and recorded accurately and timely
• Ensure that appropriate Agents participate in
  Business Events

29
Control Frameworks

• COSO
• General Control Model
• Committee of Sponsoring Organizations of the
  Treadway Commission (originally formed in 1985)
• COBIT
• IT Control Model
• IT Governance Institute

30
COSO Internal ControlIntegrated Framework (ICIF)

• The committee of Sponsoring Organizations (COSO)
  is a private sector group consisting of the AAA,
  AICPA, IIA, IMA, and FEI
• Issued in 1992, Provide guidance for evaluating
  and enhancing Internal Control Systems
• COSO ICIF has five components
• Control Environment Tone at the Top
• Risk Assessment
• Control Activities Prevent-Detect-Correct
• Information Communication
• Monitoring Is the IC System Working?

31
COSO ERM-IF

• Enterprise Risk Management Integrated Framework
  (2004)
• Expands and elaborates on elements of internal
  control as set out in ICIF
• Includes objective setting as a separate
  component.
• Objectives are a prerequisite for internal
  control.
• Expands the control frameworks Financial
  Reporting and Risk Assessment.
• Requires a Portfolio View of risk

Objectives
Components
Business Units
32
COSO ERM-IF

• a process,
• effected by an entity's board of directors,
  management and other personnel,
• applied in strategy setting and across the
  enterprise,
• designed to identify potential events that may
  affect the entity, and
• manage risks to be within its risk appetite,
• to provide reasonable assurance regarding the
  achievement of entity objectives.

33
COBIT
SOX requires the demonstration of the
sufficiency of IT general controls
COBIT is one model of that can be chosen

• Planning
• Acquisition Implementation
• Delivery Support
• Monitoring

• IT Delivery must enable the organization to
  achieve its objectives
• Promotes process focus and process ownership
• Looks at fiduciary, quality and security needs of
  enterprises
• 7 Information criteria to define business
  requirements
• Supported by 300 specific control objectives

• Effectiveness
• Efficiency
• Availability
• Integrity
• Confidentiality
• Reliability
• Compliance

34
IT Domains
Planning and Organization IT Strategy and
tactics, the identification of the way IT can
best contribute to the achievement of the
business objectives. Acquisition and
Implementation - IT solutions need to be
identified, developed or acquired, as well as
implemented and integrated into the business
process. Maintenance/changes of existing systems
are included to make sure that the life cycle is
continued for these systems. Delivery and Support
- Actual delivery of required services, which
range from traditional operations over security
and continuity aspects to training, includes the
actual processing of data by application systems,
often classified under application
controls. Monitoring - Regular assessment of IT
processes over time for their quality and
compliance with control requirements, addresses
management's oversight of the organization's
control process and independent assurance
provided by internal and external audit or
obtained from alternative sources.
35
COBIT IT Processes Defined within Domains
Business Objectives
PO1 Define a strategic IT plan PO2 Define the
information architecture PO3 Determine the
technological direction PO4 Define the IT
organisation and relationships PO5 Manage the IT
investment PO6 Communicate management aims and
direction PO7 Manage human resources PO8 Ensure
compliance with external requirements PO9 Assess
risks PO10 Manage projects PO11 Manage quality
M1 Monitor the process M2 Assess internal
control adequacy M3 Obtain independent
assurance M4 Provide for independent audit
MONITOR AND EVALUATE
DS1 Define service levels DS2 Manage
third-party services DS3 Manage peformance and
capacity DS4 Ensure continuous service DS5
Ensure systems security DS6 Identify and
attribute costs DS7 Educate and train users DS8
Assist and advise IT customers DS9 Manage the
configuration DS10 Manage problems and
incidents DS11 Manage data DS12 Manage
facilities DS13 Manage operations
AI1 Identify automated solutions AI2 Acquire
and mantain application software AI3 Acquire and
maintain technology infrastructure AI4 Develop
and maintain IT procedures AI5 Install and
accredit systems AI6 Manage changes
36
Are Businesses Secure???

• Yes!
• No!
• Maybe?

37
Secure Businesses?

• NTA (European Internet Security Testing Firm)
  http//www.nta-monitor.com/index.htm evaluated UK
  eCommerce sites from 10/02 1/03
• Half of all sites tested had one or more
  high-risk vulnerabilities
• Two thirds had four or more medium risk
  vulnerabilities
• Two thirds of those tested had six or more low
  risk vulnerabilities
• Two thirds had six or more informational
  vulnerabilities
• Spear Phishing (http//www.nta-monitor.com/newrisk
  s/aug2005/spearphishing.htm )

38
Frequent Flaws
39
Frequent Flaws
40
CyberSecurity Lapses

• Ex-Teledata employee pleads guilty in massive ID
  theft case illegally downloaded 30,000 credit
  reports (9/15/04)
• California group sues Albertsons over privacy
  (9/10/04)
• Alleges that confidential pharmacy customer data
  used in direct mailing for large drug companies
• eBay.de Domain hijacked (9/8/04) via request for
  DNS transfer
• Hard drive with 23,000 SSNs (students, faculty,
  other employees) disappears from CSU system
  (9/3/04)

41
More CyberSecurity Lapses

• Insider Hacking (Financial Times, 11/9/05)
• Fastest growing threat to Financial Institutions
• 35 security breaches in past 12 months (was 14)
• Organized crime planting staff for ID theft
• Why?
• Easy access to hacking tools (less than 10
  minutes to hack!)
• Easy to carry out large amounts of data (USB
  Drives)
• Poor controls/patching/policies

42
Even More CyberSecurity Lapses

• Former AOL employee sold 92M e-mail addresses (15
  months in prison)
• Sun newspaper reporter alleged to have been sold
  bank account details for 1,000 UK customers from
  Indian call center worker
• Threat Rates for
• Virus (per 1000 PCs) is 4,000/day
• attack-related scans 340/internet address/day
• Insider using someone elses logged in computer
  inappropriately 4 attempts/1000 users/day

43
And Even More CyberSecurity Lapses

• VA
• Unisys subcontractor arrested in VA computer
  theft
• http//cwflyris.computerworld.com/t/859798/292510/
  33966/2/
•   Unisys offers 50,000 reward for missing VA
  computer
• http//cwflyris.computerworld.com/t/777304/292510/
  30195/2/
• Flurry of new data breaches disclosed
• http//cwflyris.computerworld.com/t/611061/292510/
  23257/0/

44
And Still Even More CyberSecurity Lapses

• Security Survey Security Breaches Strike One in
  Three CompaniesThe first set of results from our
  latest annual Security Survey provides an update
  from the war zone that is IT security. There's
  plenty of bad news over half of companies over
  1 billion report security breaches in the past
  12 months, and 45 percent have been targeted by
  organized criminals.
• Survey 81 of U.S. firms lost laptops with
  sensitive data in the past year
• http//cwflyris.computerworld.com/t/777304/292510/
  30194/2/

45
And Even More Industries to Worry About

• FDA reiterates that pharmaceutical companies must
  be prepared to document their products along the
  supply chain by the end of this year.
• http//ct.enews.eweek.com/rd/cts?d186-4253-38-104
  -23506-494799-0-0-0-1
• Chemical industry launches a cyber-security
  program to guard against shared threats--and
  possible disaster.
• http//ct.enews.eweek.com/rd/cts?d186-4253-38-104
  -23506-494802-0-0-0-1

46
Disaster!

• Rolling Power Outages Hit LA, Chicago, NY, D.C.
• DoD e-mail Phone Services are Disrupted
• Navy Cruiser Computer Systems Taken Over
• D.C. 911 Service Fails
• All Happened in 1997!
• NSA had 35 Hackers launch simulated attacks
• Root Level Access Obtained in 36 Networks

47
What, Me Worry?

• Data Security
• Business Policies
• Transaction Processing
• Data Privacy
• Systems Reliability
• SANS' Top 20 Security Threats
• Cyber Security Tips (http//www.us-cert.gov/cas/ti
  ps/)

48
Business Worries

• Escalation of attacks targeted at e-commerce
  companies (9/24/04)
• http//www.infoworld.com/article/04/09/24/HNattax
  _1.html?SECURITY
• DDoS attach against Authorize.Net
• Credit card processor
• Serves 100,000 SMEs on-line businesses
• Target of intermittent large-scale DDoS
  (9/15/04)
• DDoS started after company refused extortionists
  demand for substantial amount of money

49
More Business Worries

• A New York suburb is considering legislation that
  would make it a crime to run an unsecured Wi-Fi
  access point, News.com reports. (11/6/05)
• Sony's rootkit-like copy restrictions on some of
  its music CDs use of music CDs in the office?
• Trojan horses emerged that avoid detection by
  using the digital rights management software used
  by Sony on some of its audio CDs. (11/14/05)

50
New Attack Patterns

• Attacks now on application programs (noticeably
  backup, recovery, antivirus)
• Attacks on critical vulnerabilities found in
  network devices (routers, switches)
• Targeted Attacks on businesses
• http//www.sans.org/top20/2005/press_release.pdf

51
CAVR

• Used to Evaluate Controls in Business/Accounting
  Processes
• Completeness Transactions entered once (only
  once) and accepted for processing
• Accuracy Record correct amount, appropriate
  time period, correct account
• Validity All transactions are REAL, actually
  occurred, relate to organization, approved by
  designated person
• Restricted Access Data protected against
  unauthorized adjustments, ensure confidentiality,
  protect physical assets

52
Security Concerns

• Security of Data
• How secure are the data that are maintained?
• How secure are the data that are transmitted?
• Business Policies
• What are the business policies (sell customer
  list)?
• Are policies followed?

53
Security Concerns

• Transaction Processing Integrity
• How ensure transactions are processed according
  to agreed upon methods?
• How ensure orders are not lost?
• How ensure bills and account information are
  processed accurately?
• How ensure payments are recorded in a timely
  manner?
• How ensure that correct items and quantities
  recorded?

54
Security Concerns

• Privacy of Data
• What is the privacy policy?
• What information is kept?
• International --- Laws??
• How will collected information be used?
• Will any information be disclosed/sold?
• Can I verify/change/delete data?
• How ensure policies are followed?
• Systems Reliability
• Will the system be available when needed and
  performing procedures and processes as designed
  without exception?

55
System Monitoring

• Continuous Monitoring of Data
• http//oversightsystems.com/index.html

56
Trust

• In eCommerce, trust is the willingness of a
  trading partner to be vulnerable to the actions
  performed by the system of another trading
  partner based on the expectation that the other
  trading partner will perform a particular action
  or sequence of actions important to the trustor
  (customer), irrespective of the ability to
  monitor or control the other trading party.

57
Reality?

• http//www.dowethics.com/  
• http//www.dow.com 
• http//www.whitehouse.net/
• http//www.whitehouse.gov/
• http//www.whitehouse.org/
• How do you know who to trust?

58
Trust

• Critical for eCommerce
• How Obtain Trust?
• Company Reputation
• Seals
• BBB (http//www.bbbonline.org/privacy/ )
• TRUSTe (http//www.truste.org/ )
• WebTrust (http//www.webtrust.org/ )
• VeriSign (http//www.verisign.com/ )
• Other Ways?
• Why Trust a Seller (Buyer) on eBay?

59
E-Mail Trust?

• "E-Mail Snooping Ruled Permissible," by Kim
  Zetter, Wired News, June 30, 2004
  http//www.wired.com/news/politics/0,1283,64043,00
  .html?twnewsletter_topstories_html
• The First Court of Appeals in Massachusetts ruled
  that Bradford C. Councilman did not violate
  criminal wiretap laws when he surreptitiously
  copied read his customers e-mail to monitor
  their transactions.
• Councilman, owner of a website selling rare
  out-of-print books, offered book dealer customers
  e-mail accounts through his site. But unknown to
  those customers, Councilman installed code that
  intercepted and copied any e-mail that came to
  them from his competitor, Amazon.com. Councilman
  did not prevent the mail from reaching
  recipients, he read thousands of copied messages
  in order to know what books customers were
  seeking and gain a commercial advantage over
  Amazon.
• The court acknowledged in its decision that the
  Wiretap Act, was perhaps inadequate to address
  modern communication methods.

60
eCommerceB2B, B2C, and Intranets
B2C
B2B
Enterprise
Source Gartner Group, EDS Electronic Markets
61
TRUST? --- B2C OOPS!

• HR Block exposed confidential tax return data
  for 26 customers during 2000 tax season.
• An upgrade to the system was to enhance
  performance, unfortunately, debugging the upgrade
  shut the system down for a week.
• Confidential data were exposed when a user logged
  off and another user logged on. The previous
  users data was imported into the subsequent
  users documents and screen views.

62
B2C

• Steps?
• Where need Security?

63
(No Transcript)
64
eCommerce Steps
65
Attract Buyers

• How Attract?
• Risks?

66
Inform

• Risks?

67
Sell

• Must it be customized?
• Compete on Price, Quality, Timeliness, etc.
• Risks?

68
Carry Out Transaction

• Risks?

69
Customer Payment

• Risks?

70
After-Sale Interaction

• Risks?

71
Distribute Product

• Risks?

72
Customer Relationship Management

• Risks?

73
(No Transcript)
74
B2B Data Communication Issues
75
Basic CyberSecurity Issues
76
Basic CyberSecurity Issues
77
Secure Internet Communication

• How do you communicate securely over the
  internet?
• SSL (Prevent tampering, assure confidentiality)
• SSL (Secure Socket Layer) security protocol that
  provides data encryption, server authentication,
  message integrity, and optional client
  authentication for a TCP/IP connection.
• How does a customer know that you are who you say
  you are?
• Certificates (Authenticate)
• Server This is really me!
• Personal Im a returning customer, cant
  repudiate

78
5 Web Site Security Issues

• Is data protected against interception or
  alteration by third parties during transmission?
• When sensitive data, like credit card numbers or
  health-care information, is sent over the Web
  without the protection of SSL, there is a risk
  the data will be intercepted and even altered by
  hackers during transmission.
• Does your Web site security prevent auto security
  notices?
• All Web browsers have security mechanisms to help
  prevent users from unwittingly submitting their
  sensitive information over unsecured channels,
  which can equal lost business. Web site must have
  a valid SSL Certificate to prevent these warnings
  from being displayed.
• Does your Web site provide the highest security
  available, regardless of browser version?
• 128-bit encryption is the strongest SSL
  encryption available in todays browsers

79
5 Web Site Security Issues

• Can you verify to customers that your Web site is
  owned by a "legitimate" business?
• Customers and business partners must be confident
  that their sensitive information is being shared
  with a real entity, not a "spoof" site
  masquerading as a legitimate business.
• Does your Web site display a recognized trust
  mark?
• The VeriSign Secure Site Seal is the leading sign
  of trust on the Internet (Cheskin/Studio
  Archetype Study).

80
Secure Messaging Protocols Secure Electronic
Transmission (SET)

• Specification Core Includes Use of Cryptography
• Provides Confidentiality of Information
• Ensure Payment Integrity
• Authenticate Both Merchant Cardholder
• Interoperate with Other Protocols

81
SSL versus SET

• Both
• Encrypt Data
• Confirm Message Integrity
• Authenticate Merchant
• Only SET
• Authenticate Consumer (SSL v.3 does this)
• Transmit Specific Data on Need to Know
• CC Stay Encrypted on Merchant Site
• No Need for Merchant to Secure Credit Card
  Internally
• Includes Bank/Trusted 3rd Party in Transaction

82
Encryption/Cryptography

• Private Key
• Public Key
• Digital Signature
• Management of Keys

83
Private Key Encryption
Secret 56-bit Key
Same Secret Key
Plaintext
Cyphertext
Plaintext
Encryption with DES Method
Decryption with DES Method
Initial Text
Transmitted Text
Initial Text
84
Public Key Encryption
Receivers Public Key
Receivers Private Key
Plaintext
Cyphertext
Plaintext
Encryption with RSA Method
Decryption with RSA Method
Initial Text
Transmitted Text
Initial Text
At Receivers Site
At Senders Site
85
Public Key Infrastructure (PKI)
Registration Authority
Signing Party
Certification Authority
Private Key
Signed Message
Revocation List
Public Key
Relying Party
Certification Registry
Public Key
86
Public vs. Private Keys

• 2 different keys
• Easy to distribute
• Integrity and non repudiation through digital
  signatures
• Slow
• Intensive computation (but not a real problem
  with current PCs)

• Both keys the same
• Difficult to distribute
• No digital signatures
• Fast
• Easy to implement

87
Theoretical Times to Crack Encryption Schemes

• DES encryption.
• 40-bit max of 0.4 second
• 56-bit max of 7 hours
• 64-bit max of 74 hours, 40 minutes
• 128-bit max of 157,129,203,952,300,000 years

88
Theoretical Times to Crack Encryption Schemes

• Netscape does not use DES (it uses RC-4)
• 40-bit 15 days max
• 56-bit 2,691.49 years max
• 64-bit 689,021.57 years max
• 128-bit 12,710,204,652,610,000,000,000,000 years
  maximum
• A graduate student's network of Unix-based
  computers cracked Netscape's 40-bit encryption in
  eight days (would have taken a maximum of 15 days
  if it had to try every single key).

89
Digital Signatures
Could then encrypt with Receivers Public Key
Would need to first decrypt with Receivers
Private Key
90
(No Transcript)
91
Banking Security

• Banks View
• Customers View

92
On-Line Banking Security Banks View

• Password
• Encryption
• Firewalls
• Automatic Log-off
• 3-Strikes Youre Out!
• Traffic Monitoring
• Limit Access/Record Who Accesses Accounts
• Tiger Teams
• 3rd Party Contractors (??)

93
On-Line Banking Security Customers View

• Check with FDIC
• Evaluate Site (Legitimate)
• Go to the Mountain, Dont have the Mountain come
  to you!
• Foreign?
• Username/Password Selection
• Multiple Usernames/Passwords
• Have Computer Remember Password??

94
On-Line Banking Security Customer View, Cont.

• Log-Off!
• Use Anti-virus Software
• Use Modern Browser with Strong Encryption
• Download Patches!
• Report Security Problems
• CyberCafes??
• Work PCs??
• Shred Paper Documents
• Ask Questions!

95
Illicit Internal Cyber Activity in Banking
Finance

• Study conducted by US Secret Service CERT
  CMU Published 8/04
• Focused on Insider Threats
• 78 of perpetrators were authorized users
• 81 crimes were preplanned
• 30 losses 500,000

96
Insider Crimes

• 1997-2002, foreign currency trader for investment
  bank used variety tactics including changing data
  in systems made it look like he was star trader,
  lost over 600M
• 3/2002 logic bomb deleted 10 billion files in
  international financial services firm. Affected
  over 1300 servers, losses of 3M
• Logic bomb created by disgruntled employee over
  dispute about annual bonus

97
Primary Findings

• Most incidents used little technical
  sophistication
• 87 cases involved simple user commands
• 9 (13) involved scripting (spoofing/flooding)
• 70 cases involved exploitation of
  vulnerabilities in basic business rules/policies
• Perpetrators planned their actions
• Were not aware of consequences of action
• Cannot pass background checks
• Google search on full name returns information on
  incident
• Financial gain was primary motivation

98
Primary Findings

• No common profile for perpetrators
• Ages 18-59
• 42 female
• 27 had criminal records
• Incidents detected via various methods
• 61 perpetrators detected by non-security
  personnel
• 22 cases detected by auditors
• Luck plays large part in detecting crime!
• Perpetrators committed crimes while on job
• 83 attacks occurred from inside the organization
• 70 attacks during normal working hours

99
Risks of Insecure Systems

• Intentional Acts of Fraud or Abuse
• Alter inputs -- relatively easy, doesnt require
  technical skill
• Bank account deposit slips modified
• Desktop publishing system used to mail fictitious
  bills
• Railroad employees falsely enter freight car
  destruction, then repainted and sold cars
• Alter software -- requires skill
• Viruses and Trojan horses
• Alter data files (copy, delete, or use)
• Labels removed from 100s of tapes/disks by
  employee
• Employee took powerful magnet to disks/tapes
• Employee sold information from wordprocessing
  files regarding potential mergers/acquisitions
• Viruses and Trojan horses
• Operate system in unauthorized manner -- steal
  time
• Steal or misuse output -- screen or printout

100
Risks of Insecure Systems

• Risks to Customers
• False or Malicious Websites
• Stealing IDs Passwords
• Stealing Credit Card Information
• Man in the Middle info can be stolen even with
  SSL!
• Stealing Files From Visitors Hard Drives
• Non-Secure Environments
• Theft of Customer Data from Sellers ISPs
• Spyware
• Cookies Privacy (?)

101
Wardriving

• You can look, but you cannot touch!
• Michigan Lowe's Store (Spring 2003)
• http//reviews-zdnet.com.com/4520-7297-5511088.htm
  l
• Found hot spot accessed e-mail (misdemeanor
  conviction)
• Friend another went back and got into Lowes
  system, including corporate HQ stores in CA,
  FL, SD, KY, NC, KA
• Returned and uploaded program to trap credit card
  data but crashed POS in CA store
• Reinserted a modified program at later date,
  obtained 6 credit card numbers
• Pair face 16 counts (41-51 months 12-15 years)
• Responsibility of Business?

102
Risks of Insecure Systems

• Risks to Sellers
• Customer Impersonation
• Theft of Goods/Services
• Denial of Service Attacks (DoS, DDoS)
• Data Theft ( 1M avg. loss)
• Sabotage by Former Employees
• Former employee launched a logic bomb that wiped
  out all the firms software and caused 10M in
  damage, including the loss of 80 jobs. Had
  worked for the company 11 years, was responsible
  for maintaining, securing, and backing up the
  critical programs that ran the manufacturing
  facility.

103
Risks of Insecure Systems

• Risks to Sellers
• Threats from Current Employees
• Trade Secret Theft 24B/year, most committed
  by insiders
• 19/104 firms were victims of theft from own IT
  staff!
• Financial Fraud
• Often done by current employees, generally
  included kickbacks of some type
• E-mail Spoofing
• Social Engineering

104
Risks of Insecure Systems

• Risks to Trading Partners
• Often includes transmission of Mission Critical
  data
• Data Interception (e-mail host??)
• Message Origin Authentication (Nonrepudiation)
• Proof of Delivery received by intended
  recipient
• Message Integrity Unauthorized Viewing of
  Messages
• Timely Delivery of Messages

105
GIVEN ALL THE RISKS, WHAT SHOULD A BUSINESS
DO?---Risk Management Process---

• Identify Potential Risks
• Analyze Assess Probability Prioritize
• Design/Plan/Implement Assign Available
  Resources
• Business Continuity Plan
• Monitor Tracking Devices, Corrective Actions
• Control Evaluate
• Repeat Process

Also Mandated by Sarbanes-Oxley
106
Selling CyberSecurity to Business

• Need to pitch sale to audience
• Executive
• Cost/benefit - savings
• Reduced Exposures
• Manager
• Streamline workflow
• Budget impact
• Employee
• Ease of use

107
(No Transcript)
108
Impact Analysis Approach for Cyber Security

• Public Web Site
• Not critical for day-to-day operations
• Mail Servers
• Business hampered, not down if failure
• E-Tail Web Site
• Critical for revenue
• Significant lost in stock price
• Accounting Systems
• Critical for operations
• Desktop Virus
• Can result in shutdown of entire system
• Corporate Network Uptime
• Mission critical, internal network connects
  everything

109
Impact Analysis Approach(Possible Scores)
110
Risk Analysis Approach

• Identify Assets
• Hardware, Network, Software, Data, and
  Documentation
• Evaluate Exposures
• Modification, Destruction/Loss, Disclosure, and
  Disruption
• Create matrix of Assets/Exposures and evaluate
  each cell as being either H, M, or L
• Never have a single point of failure!
• Implement Controls
• Should be Cost-Effective and Based on Matrix
• Monitor Results

111
Evaluation Matrix
Modification Destruction/Loss Disclosure
Disruption
Hardware
Server
Router
Software
Data
Docs.
Rate Risk as H, M or L
112
(No Transcript)
113
Business Continuity Plan

• Businesses that are down for more that a week
  will (almost) never survive!
• How Happen?
• Power outage, natural disaster, intentional act
• Florida businesses??
• Elements of a BCP
• Plan Identify A, B, and C Processes
• Employee logistics
• Power and telecommunications partners
• Key suppliers
• 3rd party site (Hot, Warm, Cold) or
  Self-Insure?
• Practice, Practice, Practice

114
Reducing Internal Security Threats

• Make Fraud Less Likely to Occur
• Hiring/Training
• Corporate security culture
• Increase Difficulty of Committing Fraud
• Internal controls
• Separation of duties/forced vacations
• Limit access to machines/software/data/documentati
  on
• Reduce Fraud Loss
• Insurance/Back-up Off-site storage/Contingency
  plans
• Physical Security
• Fireproof/fire extinguishers/smoke detectors
• Uniterruptable power supply/surge protector
• Increase Likelihood of Detecting Fraud
• Periodic audits - People question actions
• Investigate all anomalies - Prosecute all
  perpetrators

115
Preventing Disruption, Destruction and Disaster

• Key principle in preventing (reducing impact)
  disruption, destruction and disaster is
  redundancy.
• Uninterruptable power supplies (UPS)
• Fault-tolerant servers
• Disk mirroring duplexing
• Multiple data communication lines/ companies that
  provide services
• Redundancy can be built into other network
  components as well.
• In some cases, the disruption is intentional
• A special case is the denial-of-service attack,
  in which the hacker attempts to disrupt the
  network by sending messages to the network that
  prevent others messages from being processed

116
Prevent Unauthorized Access

• Key principle is to be proactive. Test your
  security systems before an intruder does.
• Approaches to preventing unauthorized access
• Developing a security policy
• Developing user profiles
• Plugging known security holes
• Securing network access points
• Preventing eavesdropping
• Using encryption
• A combination of all techniques is best to ensure
  strong security.

117
Develop User Profiles

• The basis of network access is the user profile
  for a users account
• More systems are requiring users to enter a
  password in conjunction with something they have,
  such as a smart card.
• In high-security applications, a user may be
  required to present something they are, such as a
  finger, hand or the retina of their eye for
  scanning by the system (biometric scanning).

118
Plug Known Security Holes

• Many commonly used operating systems have major
  security problems well known to potential users
  (security holes).
• Some security holes are not really holes, but
  simply policies adopted by computer vendors that
  open the door for security problems, such as
  computer systems that come with a variety of
  preinstalled user accounts.
• Check vendor sites for updates
• delete all preinstalled accounts,
• change defaults
• Check hacker sites

119
Securing Network Access Points

• There are three major ways of gaining access
• Using a computer located in the organizations
  offices
• Dialing into the network
• Accessing the network from another network to
  which it is connected (e.g. Internet)
• Firewalls
• The physical security of the building or
  buildings that house any of the hardware,
  software or communications circuits must also be
  evaluated.

120
Are You Being Taken?

• Most current SSL attacks are based on fooling the
  user, more so than breaking the technology.
• Most forms online are not on secure servers, but
  the data you provide is usually sent to a secure
  server, which leads to one of the major problems.
  
• The form data may not be going where it should. A
  simple attack is to have the fake site, and a
  form that takes the data, without using a secure
  server at all.

121
Are You Being Taken?

• Check source HTML of pages you put credit card
  data
• The title bar should start with https// followed
  by the sitename (i.e. https//www.microsoft.com/)
  .
• Also examine the HTML source to make sure the
  form data points to where it should go, you
  should see something like
• or
• .com/cgi-bin/order.cgi"
• If a store is using the "GET" method, do not buy
  from them, any data you enter will be passed
  along as the query string, if you look in the
  text of your address bar you will see your credit
  card info.

122
Are You Being Taken?

• If a store specifies a relative link (i.e.
  something/something.cgi) then make sure the
  current site you are at is a secure server, and
  that the certificate is legitimate.
• If the link is absolute, and points to an IP
  address, be suspicious (Warning! Warning! Danger!
  Danger!)
• Ideally the link should point to something like
• "https//www.some-online-store.com/cgi-bin/order.
  cgi", and you should first browse to that site,
  and make sure the certificate is legitimate,
  before hitting the submit button on your order
  form.

123
Phishing? Spear Phishing?

• What is it?
• Phony, but realistic looking e-mail urging user
  to update sensitive financial information
• Attackers target a single company or group (not
  the mass mailing of normal phishing attack). An
  example could be an email to all.employees_at_xyz.com
  purporting to come from helpdesk_at_xyz.com
• What do e-commerce outfits do to prevent
  phishing?
• They send out fliers warning customers of the
  hazard.
• How Effective is Phishing?
• In 12 months ended 4/04, 57 million reported
  phish e-mail
• Value of goods services total 1.2B but does
  not include cost for HW, SW, reputation, etc.
• Total damage estimated at 50B!

124
Four Horsemen of the Info-Apocalypse

• Intelligence gathering
• Systems damage
• System hijacking
• Disinformation

Checklist for Businesses
From The Dirty Dozen The 12 Security Lapses
That Make Your .Com, .Org, or .Net an Unwitting
Collaborator with Cyberterrorists
(http//www.informit.com/ )
125
Intelligence Gathering

• Identity Impersonation and/or Identity Theft
• See also Breakdowns in the Human Firewall
• Spyware
• Internal Threats
• From the Innocent Incompetent to the
  Disgruntled Employee
• The Society of Competitive Intelligence
  Professionals (http//www.scip.org/)

126
Systems Damage

• Security lapses that allow for disruption or
  damage of data and information infrastructure.
• Breakdowns in the Human Firewall
• People are the weakest link in a security plan.
  Training can prevent a majority of security
  lapses.
• System/Browser Vulnerabilities
• Wireless Insecurity
• Denial-of-Service (DoS) Attacks

127
System Hijacking

• Use of established communications for
  clandestine communication with others
• Steganography
• art and science of hiding the fact that
  communication is happening. It involves hiding
  messages inside text, images, sounds, or other
  binary files for clandestine communications
• Tunneling
• allows communication in an environment where
  communication may not be possible due to
  firewalls or proxies that limit traffic
• Worms, Trojan Horses, and Viruses
• http//www.networkworld.com/topics/virus.htmlthre
  atmap

128
Disinformation

• Spreading false rumors electronically that are
  picked up by the media as true
• Cracking into news servers to plant false or
  misleading stories
• Entering false or misleading information in
  databases
• DNS Poisoning and Domain Hijacking
• DNS poisoning is convincing a name server that a
  domain has a different IP address.
• Domain hijacking involves stealing a domain at
  the registrar level.
• Changing Web Site Contents

129
Security/Productivity Balance
130
Paranoia is Good!