ECommerce Models - PowerPoint PPT Presentation

1 / 130
About This Presentation

ECommerce Models


( ) ... Urban Legends (Click on Computers) Viruses ( ... – PowerPoint PPT presentation

Number of Views:468
Avg rating:3.0/5.0
Slides: 131
Provided by: cse6


Transcript and Presenter's Notes

Title: ECommerce Models

E-Commerce Models Security
  • Risks and Controls
  • CSE/CJ 429
  • September 26, 2006
  • Severin Grabski
  • Department of Accounting Information Systems

Session Readings
  • How eCommerce Works (http//
  • Sarbanes-Oxley Compliance
  • (http//
    37041 )
  • How Credit Cards Work (thru on-line safety)
  • (http//
  • How Encryption Works
  • (http//
  • How Identity Theft Works
  • (http//
  • Urban Legends (Click on Computers)
  • Viruses (http//

Additional Readings
  • COSO Publications
  • http//
  • ISACA (CobiT)
  • http//
  • SOX, COSO CobiT Mapping
  • http//
  • CIO Today
  • http//

Session Outline
  • IT Governance
  • SOX, COSO CobiT
  • eCommerce
  • B2C
  • B2B
  • Security Lapses
  • Security Techniques

Importance of Private Sector CyberSecurity
  • The private sector owns or manages a large number
    of critical infrastructures
  • Banking and finance
  • Electricity
  • Oil and gas production
  • Telecommunications
  • Transportation
  • Water supply
  • Nearly everything the U.S. military does depends
    on computer-driven civilian information networks.
  • About 95 of military communications travel over
    the same networks used by civilians

IT Governance
  • Enterprise leaders are responsible to ensure
    that IT
  • Aligned with the business
  • Delivers value
  • Performance is measured
  • Resources properly allocated
  • Risks mitigated

IT Governance
  • Governance structure
  • Partially a result of perceived need
  • Board of Directors, Top Management
  • Partially a result of regulations
  • Sarbanes-Oxley Act

Need for IT Governance
  • IT is important for delivering the organizations
  • Organizations are suffering from IT operational
  • 75 of the CIOs perceive need for better IT
  • IT governance helps provide IT value manage IT
  • IT governance frameworks used to align IT
    strategy to business strategy
  • IT governance used to manage IT operational risks

Sarbanes-Oxley Act
  • Regulations on Publicly Traded Firms
  • The Sarbanes-Oxley Act of 2002 is designed to
    ensure the following within a business
  • There are sufficient controls to prevent fraud,
    misuse, and/or loss of financial
  • There are controls to enable speedy detection if
    and when such problems happen.
  • Effective action is taken to limit the effects of
    such problems.
  • In many companies, most of these controls are

Sorting the SOX (Lions Tigers Bears OH MY!)
  • SOX Sections
  • 302
  • Requires managements quarterly certification of
    financial reporting controls and disclosure
    controls procedures
  • 404
  • Requires management of public companies take
    responsibility to develop maintain effective
    system of internal controls
  • Reporting on the systems effectiveness.
  • 906
  • Rapid (within 4 business days) disclosure of
    material changes in the financial condition or
    operations of the issuer
  • 22 triggering events detailed

SOX 302
  • The signing officers (CEO, CFO)
  • Are responsible for establishing and maintaining
    internal controls
  • Have designed such internal controls to ensure
    that material information to the issuer and its
    consolidated subsidiaries is made to such
    officers by others within those entities,
    particularly during the period in which the
    periodic reports are prepared
  • Have evaluated the effectiveness of the issuers
    internal controls an of a date within 90 days
    prior to the report and
  • Have presented in the report their conclusions
    about the effectiveness of their internal
    controls based upon their evaluation as of that
  • The signing offers have disclosed to the auditors
    and audit committee of the Board of Directors
  • All significant deficiencies in the design or
    operation of internal controls that could
    adversely affect the issuers ability to record,
    process, summarize, and report financial data and
    have identified for the issuers auditors any
    material weaknesses in internal controls and
  • Any fraud, whether or not material, that involves
    management or other employees who have a
    significant role in the issuer's internal

SOX Compliance
  • Companies must demonstrate conclusively that they
    have the following in place
  • Macro Level Anti-Fraud Analysis
  • Macro Level Assessment Against a Control Model
  • COSO
  • Sufficiency of IT General Controls
  • Reliable 10-K, 10-Q, Notes, Supplemental
  • COSO
  • Material Weakness in any of the above requires
    External Auditors to conclude that the disclosure
    controls overall are not effective and give a
    negative internal controls opinion

Cost of SOX Compliance
  • Compliance spending in 2004 estimated at 5.5B
  • Companies 5B Sales 10.5M SOX Cost
  • Average audit fees up 45 (13M)
  • GE Audit fees increased 41 (78M)
  • 33M SOX 404
  • United Technologies Audit fees doubled 20M
  • Yellow Roadway - Audit fees doubled 4M
  • 10M for SOX Documentation

Cost of SOX Compliance
Smaller companies are pretty screwed by the
whole process because the SarbOx requirements are
going to really cost them money they can't
possibly make up in more efficient operations.
Larger companies are so screwed up in general
that the sorts of things they need to do to
improve their financial control is likely to have
positive knock on effects on financial operations
beyond audit and compliance. How companies
should handle Sarbanes-Oxley compliances Friday
April 22, 2005 (0200 PM GMT) Melanie
Hollands http//
SOX Compliance IT Controls
  • Extent of documentation testing requires
  • Management must document and test
  • Relevant General IT controls
  • Controls over program development, program
    changes, computer operations, and access to
    programs and data
  • Appropriate Application-level controls that are
    designed to ensure that financial information
    generated from a company's application systems
    can be relied upon.
  • For purposes of Section 404 assessment, not
    necessary to test general IT controls that do not
    pertain to financial reporting
  • Not appropriate to exclude new IT systems and
    upgrades from the scope of its assessment of
    internal control over financial reporting

Staff Statement on Management's Report on
Internal Control Over Financial Reporting (16 May
2005) http//
Risk Type and IT Controls
OS Security DB Security Network
Security Application Security

Sarbanes-Oxley Scope
Anti-Virus Anti-Spam Email / IM
Security Bluetooth Security
Data Privacy Data Classification
Incident Response End User Awareness
Disaster Recovery and Business Continuity Planning
Internal Controls
A Companys internal control structure is
defined at several layers
Business Processes / Classes of Transactions
Process A
Process B
Process C
Process A
Process B
Process C
Change Management
Financial Applications
Access Management
Application A
Application B
IT Operations
IT Infrastructure Services
Operating System
Sarbanes-Oxley Act
  • General computer controls impact all IT systems.
    The following types of controls are usually
  • Security policies, standards, and processes,
  • Authentication/access controls,
    Laptop/workstation security
  • Antivirus policies, Password policies
  • Firewall/VPN policies, Intrusion prevention and
    detection policies
  • Physical access security
  • Internet usage policies (see "Why You Need a
    Company Policy on Internet Use")
  • Incident management policies and procedures
  • Hardware/software configuration, installation,
    testing, management standards, policies, and
  • Service-level agreement policies
  • Coding standards/reviews, Testing

Sarbanes-Oxley Act
  • IT security should form a large part of the
    audit process. It's important to demonstrate
    that policies are in place are being followed
    effectively in the following areas
  • Physical security
  • How people get access to the building (how ID
    cards are issued, security guards are vetted,
  • Where the computer equipment is kept and how it's
    secured from theft, fire, flood
  • Policies dictating physical security
  • Laptop (and wireless devices) and workstation
    physical security
  • Intrusion detection/prevention
  • Which IDS/IPS software is running on which
    network components
  • Who is alerted when intrusions are detected
  • Policy for handling intrusions, etc.

Sarbanes-Oxley Act
  • Additional General IT Controls
  • Logging
  • Error logging
  • Incident logging
  • Reviews of logs
  • Policy for acting on unusual activities
  • Access to logs/changes to logs
  • Antivirus/spyware policy
  • Firewall policies for content filtering, closing
    ports, etc.
  • (Music) CDs (DRM software issues!)
  • Network antivirus policy
  • Email antivirus
  • PC antivirus setup
  • Server antivirus
  • Communication to users to educate them in how to
    deal with viruses
  • Remote-access policy
  • VPN policy
  • Access via modem/DSL/Bluetooth/wireless, etc.

Sarbanes-Oxley Act
  • Additional General IT Controls
  • Configuration policy
  • Firewall/router/hub setups to ensure that "back
    doors" are closed, patches are installed, etc.
  • Server (especially web server) setup policy to
    ensure that potentially dangerous protocols are
    turned off (such as Telnet and FTP)
  • Control over installation of new software
    (testing of software in lab conditions before
  • Inventory to ensure that someone knows which
    network components exist and where they are, how
    they're configured and changed, etc.
  • Authentication/access controls
  • Regular vulnerability assessmentto include port
    scanning, checking for software patches that are
    not up to date, checking for antivirus updates
    that are not in place, and so on

New Laws Guidelines
  • Energy Policy Act of 2005
  • Improve security in power companies. The act
    calls for the implementation of mandatory
    reliability standards in bulk-power systems
    operating interconnected, electric-energy,
    transmission networks. Reliability standards and
    cybersecurity protection standards to help thwart
    online attacks are included.
  • NERC (North American Electrical Reliability
    Council) cybersecurity standards ( CIP-002-1 to
    CIP-009-1 ). Power companies using bulk
    electricity systems properly identify and protect
    critical online assets that control/impact their
    performance. Companies operating bulk-power
    systems will be required to conduct extensive
    background checks on employees working in IT
    security. The cybersecurity standards address
  • Critical online asset protection.
  • Security of management controls and systems.
  • Hiring and training of power plant personnel.
  • Incident reporting.
  • Disaster response planning.
  • Creation of recovery plans.

More Laws Guidelines
  • U.S. Federal Information Security Management Act
    (FISMA) of 2002 - law governing Federal
    information security
  • http//
  • DoD Security Technical Implementation Guidance
  • IT Security Compliance (IIA)
  • http//
  • Tips for PC Security http//

Theoretical Business IT Security Approach
  • Take IT Governance Perspective
  • Look at Cost/Benefit Trade-off
  • Looking at Convergence of entire security area
    (physical computer)

Actual Business IT Security Approach
  • Recommended by staff
  • What others are doing
  • What we can afford
  • Told to by auditors
  • Fits in portfolio and risk appetite

Recommended process for selecting IS security
Does the project meet the qualitative criteria
required to qualify for financial evaluation?
Pursue alternative projects
Perform DCF analysis to quantify the expected
Is the overall risk of the IS project portfolio
at acceptable levels after inclusion of this
Assess the contribution of this projects risk to
the risk of the IS project portfolio
Does this project provide real options?
Does the project generate positive value?
Apply options valuation to quantify the real
option embedded
Propose the project for top managements approval
Key Control Concepts
  • Internal control (i.e., security) is a process
  • A means to an end!
  • Internal control is effected by people
  • It is not policies forms!
  • Internal control can be expected to provide
    reasonable assurance not absolute assurance
  • Only as strong as the weakest link!!!

Why Internal Controls?
  • To provide a reasonable level of assurance that
    everything is done properly and that no
    unauthorized actions occur
  • Ensure managements policies are followed
  • Ensure valid data (Record, Maintain, Report)
  • Ensure appropriate data provided to authorized
    users (Employees, Customers, Vendors,
    Stockholders, Regulatory Agencies)
  • Ensure Assets are valued/protected/used in an
    appropriate manner
  • Ensure that Business Events are properly valued
    and recorded accurately and timely
  • Ensure that appropriate Agents participate in
    Business Events

Control Frameworks
  • COSO
  • General Control Model
  • Committee of Sponsoring Organizations of the
    Treadway Commission (originally formed in 1985)
  • IT Control Model
  • IT Governance Institute

COSO Internal ControlIntegrated Framework (ICIF)
  • The committee of Sponsoring Organizations (COSO)
    is a private sector group consisting of the AAA,
    AICPA, IIA, IMA, and FEI
  • Issued in 1992, Provide guidance for evaluating
    and enhancing Internal Control Systems
  • COSO ICIF has five components
  • Control Environment Tone at the Top
  • Risk Assessment
  • Control Activities Prevent-Detect-Correct
  • Information Communication
  • Monitoring Is the IC System Working?

  • Enterprise Risk Management Integrated Framework
  • Expands and elaborates on elements of internal
    control as set out in ICIF
  • Includes objective setting as a separate
  • Objectives are a prerequisite for internal
  • Expands the control frameworks Financial
    Reporting and Risk Assessment.
  • Requires a Portfolio View of risk

Business Units
  • a process,
  • effected by an entity's board of directors,
    management and other personnel,
  • applied in strategy setting and across the
  • designed to identify potential events that may
    affect the entity, and
  • manage risks to be within its risk appetite,
  • to provide reasonable assurance regarding the
    achievement of entity objectives.

SOX requires the demonstration of the
sufficiency of IT general controls
COBIT is one model of that can be chosen
  • Planning
  • Acquisition Implementation
  • Delivery Support
  • Monitoring
  • IT Delivery must enable the organization to
    achieve its objectives
  • Promotes process focus and process ownership
  • Looks at fiduciary, quality and security needs of
  • 7 Information criteria to define business
  • Supported by 300 specific control objectives
  • Effectiveness
  • Efficiency
  • Availability
  • Integrity
  • Confidentiality
  • Reliability
  • Compliance

IT Domains
Planning and Organization IT Strategy and
tactics, the identification of the way IT can
best contribute to the achievement of the
business objectives. Acquisition and
Implementation - IT solutions need to be
identified, developed or acquired, as well as
implemented and integrated into the business
process. Maintenance/changes of existing systems
are included to make sure that the life cycle is
continued for these systems. Delivery and Support
- Actual delivery of required services, which
range from traditional operations over security
and continuity aspects to training, includes the
actual processing of data by application systems,
often classified under application
controls. Monitoring - Regular assessment of IT
processes over time for their quality and
compliance with control requirements, addresses
management's oversight of the organization's
control process and independent assurance
provided by internal and external audit or
obtained from alternative sources.
COBIT IT Processes Defined within Domains
Business Objectives
PO1 Define a strategic IT plan PO2 Define the
information architecture PO3 Determine the
technological direction PO4 Define the IT
organisation and relationships PO5 Manage the IT
investment PO6 Communicate management aims and
direction PO7 Manage human resources PO8 Ensure
compliance with external requirements PO9 Assess
risks PO10 Manage projects PO11 Manage quality
M1 Monitor the process M2 Assess internal
control adequacy M3 Obtain independent
assurance M4 Provide for independent audit
DS1 Define service levels DS2 Manage
third-party services DS3 Manage peformance and
capacity DS4 Ensure continuous service DS5
Ensure systems security DS6 Identify and
attribute costs DS7 Educate and train users DS8
Assist and advise IT customers DS9 Manage the
configuration DS10 Manage problems and
incidents DS11 Manage data DS12 Manage
facilities DS13 Manage operations
AI1 Identify automated solutions AI2 Acquire
and mantain application software AI3 Acquire and
maintain technology infrastructure AI4 Develop
and maintain IT procedures AI5 Install and
accredit systems AI6 Manage changes
Are Businesses Secure???
  • Yes!
  • No!
  • Maybe?

Secure Businesses?
  • NTA (European Internet Security Testing Firm)
    http// evaluated UK
    eCommerce sites from 10/02 1/03
  • Half of all sites tested had one or more
    high-risk vulnerabilities
  • Two thirds had four or more medium risk
  • Two thirds of those tested had six or more low
    risk vulnerabilities
  • Two thirds had six or more informational
  • Spear Phishing (http//
    s/aug2005/spearphishing.htm )

Frequent Flaws
Frequent Flaws
CyberSecurity Lapses
  • Ex-Teledata employee pleads guilty in massive ID
    theft case illegally downloaded 30,000 credit
    reports (9/15/04)
  • California group sues Albertsons over privacy
  • Alleges that confidential pharmacy customer data
    used in direct mailing for large drug companies
  • Domain hijacked (9/8/04) via request for
    DNS transfer
  • Hard drive with 23,000 SSNs (students, faculty,
    other employees) disappears from CSU system

More CyberSecurity Lapses
  • Insider Hacking (Financial Times, 11/9/05)
  • Fastest growing threat to Financial Institutions
  • 35 security breaches in past 12 months (was 14)
  • Organized crime planting staff for ID theft
  • Why?
  • Easy access to hacking tools (less than 10
    minutes to hack!)
  • Easy to carry out large amounts of data (USB
  • Poor controls/patching/policies

Even More CyberSecurity Lapses
  • Former AOL employee sold 92M e-mail addresses (15
    months in prison)
  • Sun newspaper reporter alleged to have been sold
    bank account details for 1,000 UK customers from
    Indian call center worker
  • Threat Rates for
  • Virus (per 1000 PCs) is 4,000/day
  • attack-related scans 340/internet address/day
  • Insider using someone elses logged in computer
    inappropriately 4 attempts/1000 users/day

And Even More CyberSecurity Lapses
  • VA
  • Unisys subcontractor arrested in VA computer
  • http//
  •   Unisys offers 50,000 reward for missing VA
  • http//
  • Flurry of new data breaches disclosed
  • http//

And Still Even More CyberSecurity Lapses
  • Security Survey Security Breaches Strike One in
    Three CompaniesThe first set of results from our
    latest annual Security Survey provides an update
    from the war zone that is IT security. There's
    plenty of bad news over half of companies over
    1 billion report security breaches in the past
    12 months, and 45 percent have been targeted by
    organized criminals.
  • Survey 81 of U.S. firms lost laptops with
    sensitive data in the past year
  • http//

And Even More Industries to Worry About
  • FDA reiterates that pharmaceutical companies must
    be prepared to document their products along the
    supply chain by the end of this year.
  • http//
  • Chemical industry launches a cyber-security
    program to guard against shared threats--and
    possible disaster.
  • http//

  • Rolling Power Outages Hit LA, Chicago, NY, D.C.
  • DoD e-mail Phone Services are Disrupted
  • Navy Cruiser Computer Systems Taken Over
  • D.C. 911 Service Fails
  • All Happened in 1997!
  • NSA had 35 Hackers launch simulated attacks
  • Root Level Access Obtained in 36 Networks

What, Me Worry?
  • Data Security
  • Business Policies
  • Transaction Processing
  • Data Privacy
  • Systems Reliability
  • SANS' Top 20 Security Threats
  • Cyber Security Tips (http//

Business Worries
  • Escalation of attacks targeted at e-commerce
    companies (9/24/04)
  • http//
  • DDoS attach against Authorize.Net
  • Credit card processor
  • Serves 100,000 SMEs on-line businesses
  • Target of intermittent large-scale DDoS
  • DDoS started after company refused extortionists
    demand for substantial amount of money

More Business Worries
  • A New York suburb is considering legislation that
    would make it a crime to run an unsecured Wi-Fi
    access point, reports. (11/6/05)
  • Sony's rootkit-like copy restrictions on some of
    its music CDs use of music CDs in the office?
  • Trojan horses emerged that avoid detection by
    using the digital rights management software used
    by Sony on some of its audio CDs. (11/14/05)

New Attack Patterns
  • Attacks now on application programs (noticeably
    backup, recovery, antivirus)
  • Attacks on critical vulnerabilities found in
    network devices (routers, switches)
  • Targeted Attacks on businesses
  • http//

  • Used to Evaluate Controls in Business/Accounting
  • Completeness Transactions entered once (only
    once) and accepted for processing
  • Accuracy Record correct amount, appropriate
    time period, correct account
  • Validity All transactions are REAL, actually
    occurred, relate to organization, approved by
    designated person
  • Restricted Access Data protected against
    unauthorized adjustments, ensure confidentiality,
    protect physical assets

Security Concerns
  • Security of Data
  • How secure are the data that are maintained?
  • How secure are the data that are transmitted?
  • Business Policies
  • What are the business policies (sell customer
  • Are policies followed?

Security Concerns
  • Transaction Processing Integrity
  • How ensure transactions are processed according
    to agreed upon methods?
  • How ensure orders are not lost?
  • How ensure bills and account information are
    processed accurately?
  • How ensure payments are recorded in a timely
  • How ensure that correct items and quantities

Security Concerns
  • Privacy of Data
  • What is the privacy policy?
  • What information is kept?
  • International --- Laws??
  • How will collected information be used?
  • Will any information be disclosed/sold?
  • Can I verify/change/delete data?
  • How ensure policies are followed?
  • Systems Reliability
  • Will the system be available when needed and
    performing procedures and processes as designed
    without exception?

System Monitoring
  • Continuous Monitoring of Data
  • http//

  • In eCommerce, trust is the willingness of a
    trading partner to be vulnerable to the actions
    performed by the system of another trading
    partner based on the expectation that the other
    trading partner will perform a particular action
    or sequence of actions important to the trustor
    (customer), irrespective of the ability to
    monitor or control the other trading party.

  • http//  
  • http// 
  • http//
  • http//
  • http//
  • How do you know who to trust?

  • Critical for eCommerce
  • How Obtain Trust?
  • Company Reputation
  • Seals
  • BBB (http// )
  • TRUSTe (http// )
  • WebTrust (http// )
  • VeriSign (http// )
  • Other Ways?
  • Why Trust a Seller (Buyer) on eBay?

E-Mail Trust?
  • "E-Mail Snooping Ruled Permissible," by Kim
    Zetter, Wired News, June 30, 2004
  • The First Court of Appeals in Massachusetts ruled
    that Bradford C. Councilman did not violate
    criminal wiretap laws when he surreptitiously
    copied read his customers e-mail to monitor
    their transactions.
  • Councilman, owner of a website selling rare
    out-of-print books, offered book dealer customers
    e-mail accounts through his site. But unknown to
    those customers, Councilman installed code that
    intercepted and copied any e-mail that came to
    them from his competitor, Councilman
    did not prevent the mail from reaching
    recipients, he read thousands of copied messages
    in order to know what books customers were
    seeking and gain a commercial advantage over
  • The court acknowledged in its decision that the
    Wiretap Act, was perhaps inadequate to address
    modern communication methods.

eCommerceB2B, B2C, and Intranets
Source Gartner Group, EDS Electronic Markets
  • HR Block exposed confidential tax return data
    for 26 customers during 2000 tax season.
  • An upgrade to the system was to enhance
    performance, unfortunately, debugging the upgrade
    shut the system down for a week.
  • Confidential data were exposed when a user logged
    off and another user logged on. The previous
    users data was imported into the subsequent
    users documents and screen views.

  • Steps?
  • Where need Security?

(No Transcript)
eCommerce Steps
Attract Buyers
  • How Attract?
  • Risks?

  • Risks?

  • Must it be customized?
  • Compete on Price, Quality, Timeliness, etc.
  • Risks?

Carry Out Transaction
  • Risks?

Customer Payment
  • Risks?

After-Sale Interaction
  • Risks?

Distribute Product
  • Risks?

Customer Relationship Management
  • Risks?

(No Transcript)
B2B Data Communication Issues
Basic CyberSecurity Issues
Basic CyberSecurity Issues
Secure Internet Communication
  • How do you communicate securely over the
  • SSL (Prevent tampering, assure confidentiality)
  • SSL (Secure Socket Layer) security protocol that
    provides data encryption, server authentication,
    message integrity, and optional client
    authentication for a TCP/IP connection.
  • How does a customer know that you are who you say
    you are?
  • Certificates (Authenticate)
  • Server This is really me!
  • Personal Im a returning customer, cant

5 Web Site Security Issues
  • Is data protected against interception or
    alteration by third parties during transmission?
  • When sensitive data, like credit card numbers or
    health-care information, is sent over the Web
    without the protection of SSL, there is a risk
    the data will be intercepted and even altered by
    hackers during transmission.
  • Does your Web site security prevent auto security
  • All Web browsers have security mechanisms to help
    prevent users from unwittingly submitting their
    sensitive information over unsecured channels,
    which can equal lost business. Web site must have
    a valid SSL Certificate to prevent these warnings
    from being displayed.
  • Does your Web site provide the highest security
    available, regardless of browser version?
  • 128-bit encryption is the strongest SSL
    encryption available in todays browsers

5 Web Site Security Issues
  • Can you verify to customers that your Web site is
    owned by a "legitimate" business?
  • Customers and business partners must be confident
    that their sensitive information is being shared
    with a real entity, not a "spoof" site
    masquerading as a legitimate business.
  • Does your Web site display a recognized trust
  • The VeriSign Secure Site Seal is the leading sign
    of trust on the Internet (Cheskin/Studio
    Archetype Study).

Secure Messaging Protocols Secure Electronic
Transmission (SET)
  • Specification Core Includes Use of Cryptography
  • Provides Confidentiality of Information
  • Ensure Payment Integrity
  • Authenticate Both Merchant Cardholder
  • Interoperate with Other Protocols

SSL versus SET
  • Both
  • Encrypt Data
  • Confirm Message Integrity
  • Authenticate Merchant
  • Only SET
  • Authenticate Consumer (SSL v.3 does this)
  • Transmit Specific Data on Need to Know
  • CC Stay Encrypted on Merchant Site
  • No Need for Merchant to Secure Credit Card
  • Includes Bank/Trusted 3rd Party in Transaction

  • Private Key
  • Public Key
  • Digital Signature
  • Management of Keys

Private Key Encryption
Secret 56-bit Key
Same Secret Key
Encryption with DES Method
Decryption with DES Method
Initial Text
Transmitted Text
Initial Text
Public Key Encryption
Receivers Public Key
Receivers Private Key
Encryption with RSA Method
Decryption with RSA Method
Initial Text
Transmitted Text
Initial Text
At Receivers Site
At Senders Site
Public Key Infrastructure (PKI)
Registration Authority
Signing Party
Certification Authority
Private Key
Signed Message
Revocation List
Public Key
Relying Party
Certification Registry
Public Key
Public vs. Private Keys
  • 2 different keys
  • Easy to distribute
  • Integrity and non repudiation through digital
  • Slow
  • Intensive computation (but not a real problem
    with current PCs)
  • Both keys the same
  • Difficult to distribute
  • No digital signatures
  • Fast
  • Easy to implement

Theoretical Times to Crack Encryption Schemes
  • DES encryption.
  • 40-bit max of 0.4 second
  • 56-bit max of 7 hours
  • 64-bit max of 74 hours, 40 minutes
  • 128-bit max of 157,129,203,952,300,000 years

Theoretical Times to Crack Encryption Schemes
  • Netscape does not use DES (it uses RC-4)
  • 40-bit 15 days max
  • 56-bit 2,691.49 years max
  • 64-bit 689,021.57 years max
  • 128-bit 12,710,204,652,610,000,000,000,000 years
  • A graduate student's network of Unix-based
    computers cracked Netscape's 40-bit encryption in
    eight days (would have taken a maximum of 15 days
    if it had to try every single key).

Digital Signatures
Could then encrypt with Receivers Public Key
Would need to first decrypt with Receivers
Private Key
(No Transcript)
Banking Security
  • Banks View
  • Customers View

On-Line Banking Security Banks View
  • Password
  • Encryption
  • Firewalls
  • Automatic Log-off
  • 3-Strikes Youre Out!
  • Traffic Monitoring
  • Limit Access/Record Who Accesses Accounts
  • Tiger Teams
  • 3rd Party Contractors (??)

On-Line Banking Security Customers View
  • Check with FDIC
  • Evaluate Site (Legitimate)
  • Go to the Mountain, Dont have the Mountain come
    to you!
  • Foreign?
  • Username/Password Selection
  • Multiple Usernames/Passwords
  • Have Computer Remember Password??

On-Line Banking Security Customer View, Cont.
  • Log-Off!
  • Use Anti-virus Software
  • Use Modern Browser with Strong Encryption
  • Download Patches!
  • Report Security Problems
  • CyberCafes??
  • Work PCs??
  • Shred Paper Documents
  • Ask Questions!

Illicit Internal Cyber Activity in Banking
  • Study conducted by US Secret Service CERT
    CMU Published 8/04
  • Focused on Insider Threats
  • 78 of perpetrators were authorized users
  • 81 crimes were preplanned
  • 30 losses 500,000

Insider Crimes
  • 1997-2002, foreign currency trader for investment
    bank used variety tactics including changing data
    in systems made it look like he was star trader,
    lost over 600M
  • 3/2002 logic bomb deleted 10 billion files in
    international financial services firm. Affected
    over 1300 servers, losses of 3M
  • Logic bomb created by disgruntled employee over
    dispute about annual bonus

Primary Findings
  • Most incidents used little technical
  • 87 cases involved simple user commands
  • 9 (13) involved scripting (spoofing/flooding)
  • 70 cases involved exploitation of
    vulnerabilities in basic business rules/policies
  • Perpetrators planned their actions
  • Were not aware of consequences of action
  • Cannot pass background checks
  • Google search on full name returns information on
  • Financial gain was primary motivation

Primary Findings
  • No common profile for perpetrators
  • Ages 18-59
  • 42 female
  • 27 had criminal records
  • Incidents detected via various methods
  • 61 perpetrators detected by non-security
  • 22 cases detected by auditors
  • Luck plays large part in detecting crime!
  • Perpetrators committed crimes while on job
  • 83 attacks occurred from inside the organization
  • 70 attacks during normal working hours

Risks of Insecure Systems
  • Intentional Acts of Fraud or Abuse
  • Alter inputs -- relatively easy, doesnt require
    technical skill
  • Bank account deposit slips modified
  • Desktop publishing system used to mail fictitious
  • Railroad employees falsely enter freight car
    destruction, then repainted and sold cars
  • Alter software -- requires skill
  • Viruses and Trojan horses
  • Alter data files (copy, delete, or use)
  • Labels removed from 100s of tapes/disks by
  • Employee took powerful magnet to disks/tapes
  • Employee sold information from wordprocessing
    files regarding potential mergers/acquisitions
  • Viruses and Trojan horses
  • Operate system in unauthorized manner -- steal
  • Steal or misuse output -- screen or printout

Risks of Insecure Systems
  • Risks to Customers
  • False or Malicious Websites
  • Stealing IDs Passwords
  • Stealing Credit Card Information
  • Man in the Middle info can be stolen even with
  • Stealing Files From Visitors Hard Drives
  • Non-Secure Environments
  • Theft of Customer Data from Sellers ISPs
  • Spyware
  • Cookies Privacy (?)

  • You can look, but you cannot touch!
  • Michigan Lowe's Store (Spring 2003)
  • http//
  • Found hot spot accessed e-mail (misdemeanor
  • Friend another went back and got into Lowes
    system, including corporate HQ stores in CA,
    FL, SD, KY, NC, KA
  • Returned and uploaded program to trap credit card
    data but crashed POS in CA store
  • Reinserted a modified program at later date,
    obtained 6 credit card numbers
  • Pair face 16 counts (41-51 months 12-15 years)
  • Responsibility of Business?

Risks of Insecure Systems
  • Risks to Sellers
  • Customer Impersonation
  • Theft of Goods/Services
  • Denial of Service Attacks (DoS, DDoS)
  • Data Theft ( 1M avg. loss)
  • Sabotage by Former Employees
  • Former employee launched a logic bomb that wiped
    out all the firms software and caused 10M in
    damage, including the loss of 80 jobs. Had
    worked for the company 11 years, was responsible
    for maintaining, securing, and backing up the
    critical programs that ran the manufacturing

Risks of Insecure Systems
  • Risks to Sellers
  • Threats from Current Employees
  • Trade Secret Theft 24B/year, most committed
    by insiders
  • 19/104 firms were victims of theft from own IT
  • Financial Fraud
  • Often done by current employees, generally
    included kickbacks of some type
  • E-mail Spoofing
  • Social Engineering

Risks of Insecure Systems
  • Risks to Trading Partners
  • Often includes transmission of Mission Critical
  • Data Interception (e-mail host??)
  • Message Origin Authentication (Nonrepudiation)
  • Proof of Delivery received by intended
  • Message Integrity Unauthorized Viewing of
  • Timely Delivery of Messages

DO?---Risk Management Process---
  • Identify Potential Risks
  • Analyze Assess Probability Prioritize
  • Design/Plan/Implement Assign Available
  • Business Continuity Plan
  • Monitor Tracking Devices, Corrective Actions
  • Control Evaluate
  • Repeat Process

Also Mandated by Sarbanes-Oxley
Selling CyberSecurity to Business
  • Need to pitch sale to audience
  • Executive
  • Cost/benefit - savings
  • Reduced Exposures
  • Manager
  • Streamline workflow
  • Budget impact
  • Employee
  • Ease of use

(No Transcript)
Impact Analysis Approach for Cyber Security
  • Public Web Site
  • Not critical for day-to-day operations
  • Mail Servers
  • Business hampered, not down if failure
  • E-Tail Web Site
  • Critical for revenue
  • Significant lost in stock price
  • Accounting Systems
  • Critical for operations
  • Desktop Virus
  • Can result in shutdown of entire system
  • Corporate Network Uptime
  • Mission critical, internal network connects

Impact Analysis Approach(Possible Scores)
Risk Analysis Approach
  • Identify Assets
  • Hardware, Network, Software, Data, and
  • Evaluate Exposures
  • Modification, Destruction/Loss, Disclosure, and
  • Create matrix of Assets/Exposures and evaluate
    each cell as being either H, M, or L
  • Never have a single point of failure!
  • Implement Controls
  • Should be Cost-Effective and Based on Matrix
  • Monitor Results

Evaluation Matrix
Modification Destruction/Loss Disclosure
Rate Risk as H, M or L
(No Transcript)
Business Continuity Plan
  • Businesses that are down for more that a week
    will (almost) never survive!
  • How Happen?
  • Power outage, natural disaster, intentional act
  • Florida businesses??
  • Elements of a BCP
  • Plan Identify A, B, and C Processes
  • Employee logistics
  • Power and telecommunications partners
  • Key suppliers
  • 3rd party site (Hot, Warm, Cold) or
  • Practice, Practice, Practice

Reducing Internal Security Threats
  • Make Fraud Less Likely to Occur
  • Hiring/Training
  • Corporate security culture
  • Increase Difficulty of Committing Fraud
  • Internal controls
  • Separation of duties/forced vacations
  • Limit access to machines/software/data/documentati
  • Reduce Fraud Loss
  • Insurance/Back-up Off-site storage/Contingency
  • Physical Security
  • Fireproof/fire extinguishers/smoke detectors
  • Uniterruptable power supply/surge protector
  • Increase Likelihood of Detecting Fraud
  • Periodic audits - People question actions
  • Investigate all anomalies - Prosecute all

Preventing Disruption, Destruction and Disaster
  • Key principle in preventing (reducing impact)
    disruption, destruction and disaster is
  • Uninterruptable power supplies (UPS)
  • Fault-tolerant servers
  • Disk mirroring duplexing
  • Multiple data communication lines/ companies that
    provide services
  • Redundancy can be built into other network
    components as well.
  • In some cases, the disruption is intentional
  • A special case is the denial-of-service attack,
    in which the hacker attempts to disrupt the
    network by sending messages to the network that
    prevent others messages from being processed

Prevent Unauthorized Access
  • Key principle is to be proactive. Test your
    security systems before an intruder does.
  • Approaches to preventing unauthorized access
  • Developing a security policy
  • Developing user profiles
  • Plugging known security holes
  • Securing network access points
  • Preventing eavesdropping
  • Using encryption
  • A combination of all techniques is best to ensure
    strong security.

Develop User Profiles
  • The basis of network access is the user profile
    for a users account
  • More systems are requiring users to enter a
    password in conjunction with something they have,
    such as a smart card.
  • In high-security applications, a user may be
    required to present something they are, such as a
    finger, hand or the retina of their eye for
    scanning by the system (biometric scanning).

Plug Known Security Holes
  • Many commonly used operating systems have major
    security problems well known to potential users
    (security holes).
  • Some security holes are not really holes, but
    simply policies adopted by computer vendors that
    open the door for security problems, such as
    computer systems that come with a variety of
    preinstalled user accounts.
  • Check vendor sites for updates
  • delete all preinstalled accounts,
  • change defaults
  • Check hacker sites

Securing Network Access Points
  • There are three major ways of gaining access
  • Using a computer located in the organizations
  • Dialing into the network
  • Accessing the network from another network to
    which it is connected (e.g. Internet)
  • Firewalls
  • The physical security of the building or
    buildings that house any of the hardware,
    software or communications circuits must also be

Are You Being Taken?
  • Most current SSL attacks are based on fooling the
    user, more so than breaking the technology.
  • Most forms online are not on secure servers, but
    the data you provide is usually sent to a secure
    server, which leads to one of the major problems.
  • The form data may not be going where it should. A
    simple attack is to have the fake site, and a
    form that takes the data, without using a secure
    server at all.

Are You Being Taken?
  • Check source HTML of pages you put credit card
  • The title bar should start with https// followed
    by the sitename (i.e. https//
  • Also examine the HTML source to make sure the
    form data points to where it should go, you
    should see something like
  • or
  • .com/cgi-bin/order.cgi"
  • If a store is using the "GET" method, do not buy
    from them, any data you enter will be passed
    along as the query string, if you look in the
    text of your address bar you will see your credit
    card info.

Are You Being Taken?
  • If a store specifies a relative link (i.e.
    something/something.cgi) then make sure the
    current site you are at is a secure server, and
    that the certificate is legitimate.
  • If the link is absolute, and points to an IP
    address, be suspicious (Warning! Warning! Danger!
  • Ideally the link should point to something like
  • "https//
    cgi", and you should first browse to that site,
    and make sure the certificate is legitimate,
    before hitting the submit button on your order

Phishing? Spear Phishing?
  • What is it?
  • Phony, but realistic looking e-mail urging user
    to update sensitive financial information
  • Attackers target a single company or group (not
    the mass mailing of normal phishing attack). An
    example could be an email to
    purporting to come from
  • What do e-commerce outfits do to prevent
  • They send out fliers warning customers of the
  • How Effective is Phishing?
  • In 12 months ended 4/04, 57 million reported
    phish e-mail
  • Value of goods services total 1.2B but does
    not include cost for HW, SW, reputation, etc.
  • Total damage estimated at 50B!

Four Horsemen of the Info-Apocalypse
  • Intelligence gathering
  • Systems damage
  • System hijacking
  • Disinformation

Checklist for Businesses
From The Dirty Dozen The 12 Security Lapses
That Make Your .Com, .Org, or .Net an Unwitting
Collaborator with Cyberterrorists
(http// )
Intelligence Gathering
  • Identity Impersonation and/or Identity Theft
  • See also Breakdowns in the Human Firewall
  • Spyware
  • Internal Threats
  • From the Innocent Incompetent to the
    Disgruntled Employee
  • The Society of Competitive Intelligence
    Professionals (http//

Systems Damage
  • Security lapses that allow for disruption or
    damage of data and information infrastructure.
  • Breakdowns in the Human Firewall
  • People are the weakest link in a security plan.
    Training can prevent a majority of security
  • System/Browser Vulnerabilities
  • Wireless Insecurity
  • Denial-of-Service (DoS) Attacks

System Hijacking
  • Use of established communications for
    clandestine communication with others
  • Steganography
  • art and science of hiding the fact that
    communication is happening. It involves hiding
    messages inside text, images, sounds, or other
    binary files for clandestine communications
  • Tunneling
  • allows communication in an environment where
    communication may not be possible due to
    firewalls or proxies that limit traffic
  • Worms, Trojan Horses, and Viruses
  • http//

  • Spreading false rumors electronically that are
    picked up by the media as true
  • Cracking into news servers to plant false or
    misleading stories
  • Entering false or misleading information in
  • DNS Poisoning and Domain Hijacking
  • DNS poisoning is convincing a name server that a
    domain has a different IP address.
  • Domain hijacking involves stealing a domain at
    the registrar level.
  • Changing Web Site Contents

Security/Productivity Balance
Paranoia is Good!
Write a Comment
User Comments (0)