Secure eBusiness Infrastructure

1
Secure e-Business Infrastructure

• Gerald Trites, CACISA, FCA
• Professor of Accounting and Information Systems
• St Francis Xavier University

2
Coverage of Session

• What is meant by e-Business
• What is meant by E-Business Infrastructure
• What is meant by e-Business Security
• Security - Risks and Benefits
• State of E-business Security
• Professional Standards
• Notes on Wireless Security

3
Coverage of Session

• What is meant by e-Business
• What is meant by E-Business Infrastructure
• What is meant by e-Business Security
• Security - Risks and Benefits
• State of E-business Security
• Professional Standards
• Notes on Wireless Security

4
Definition of e-Business

• In a very broad and general sense, electronic
  business has often been defined as any business
  carried out in electronic form.
• e-Business is the complex fusion of business
  processes, enterprise applications, and
  organizational structure necessary to create a
  high-performance business model. - Kalakota and
  Robinson

5
Components of e-Business

• Strategic internet commerce
• Collaborative commerce
• Mobile Commerce
• E-Business involves a technological and business
  infrastructure

6
Coverage of Session

• What is meant by e-Business
• What is meant by E-Business Infrastructure
• What is meant by e-Business Security
• Security - Risks and Benefits
• State of E-business Security
• Professional Standards
• Notes on Wireless Security

7
E-business Infrastructure - Definitions

• Basis for security strategy
• Definition - IBM paper (pg 15)
• Dell - http//www.dell.com/us/en/esg/topics/produc
  ts_infrastructure_arc_pedge_000_internet-infra.htm
  

8
Infrastructure a broader perspective

• Hardware and operating systems
• Networking infrastructure and technology
• Intranets, extranets, shared technologies,
  policies, collaboration, including wireless
• Enterprise resource planning
• Data management- Data warehousing - Business
  intelligence applications
• Web infrastructure and Internet applications
• Software and related infrastructure

9
Coverage of Session

• What is meant by e-Business
• What is meant by E-Business Infrastructure
• What is meant by e-Business Security
• Security - Risks and Benefits
• State of E-business Security
• Professional Standards
• Notes on Wireless Security

10
What is meant by e-Business Security

• The infrastructure as a whole must be secure
• IAPS 1013 Para 9
• Policies
• Risk/Benefit Approach
• Administration

11
Coverage of Session

• What is meant by e-Business
• What is meant by E-Business Infrastructure
• What is meant by e-Business Security
• Security - Risks and Benefits
• State of E-business Security
• Professional Standards
• Notes on Wireless Security

12
E-Business Risks

• We will address the incremental risks of
  E-business.
• Risks that apply to traditional IT also apply to
  e-business. Some of the controls to address the
  incremental risks also apply to traditional risks.

13
General e-Business Security Risks

• Web/Internet exposure
• Access to back office systems
• Integration of collaborative systems
• Particular importance of encryption, digital
  certificates, PKI, etc.
• Growth of wireless

14
E-Business Risks

• Incomplete transactions because of network
  breakdown.
• Incomplete or inaccurate transactions because of
  cracker interception.

15
E-Business Risks

• Unauthorized transactions
• Unauthorized access to confidential or personal
  information

16
E-business Risks

• Parties denying transactions because of
  insufficient audit trail
• Inadequate participation by customers and
  stakeholders because of lack of confidence in
  information security, privacy and system
  reliability
• Embarrassment caused by crackers

17
Some Industry Statistics

• In the 2003 Computer Crime and Security Survey
  of the CSI, 56 of the respondents acknowledged
  financial losses due to customer breaches.
• In the same survey, 46 of respondents detected
  system penetration from the outside and 45 from
  the inside.

18
Some Industry Statistics

• The cost of these incidents is reported at
  201,797,340 USD
• In another survey, 17 of CIOs who experienced
  external computer crime said the attacks cost
  their company more than 1 million (CIO Magazine)

19
Some Industry Statistics

• The results of a test in 2002 showed that, on
  average, it took 34 hours of forensics research
  to uncover and understand an unauthorized entry,
  while it took the cracker less than a minute to
  crack the system. (Honeynet Projects Forensics
  Challenge)

20
Internet Security Issues

• Securing the web server
• Securing information that travels between the web
  server and the user
• Protecting the organizations systems
• Protecting the users computer

21
Damages of Website Cracking

• Theft of data.
• Web site defacement.
• Web site alteration, e.g., changing a sentence in
  the terms and conditions of an e-business
  service, thus exposing a company to liabilities.

22
Other Damages of Cracking

• Alteration of business systems
• Denial of service

23
Virus Infection

• Propagate by email
• Infected through data download
• Infected through diskettes or internal file
  transfer

24
Damage Caused by Viruses

• Loss of business information
• Down time for mission critical systems
• Loss of customer confidence
• Unauthorized disclosure of confidential or
  personal information

25
Approach to Security

• Identify Risks
• Costs of those risks
• Costs of covering those risks
• Make hard decisions

26
Coverage of Session

• What is meant by e-Business
• What is meant by E-Business Infrastructure
• What is meant by e-Business Security
• Security - Risks and Benefits
• State of E-business Security
• Professional Standards
• Notes on Wireless Security

27
State of E-business Security

• Not well defined
• Numerous standards
• Defining Infrastructure Helps
• Incidents are down and spending is up good sign

28
Coverage of Session

• What is meant by e-Business
• What is meant by E-Business Infrastructure
• What is meant by e-Business Security
• Security - Risks and Benefits
• State of E-business Security
• Professional Standards
• Notes on Wireless Security

29
International Pronouncement

• IAPS 1013 - Electronic Commerce Effect on the
  Audit of Financial Statements
• http//www.ifac.org/Store/Details.tmpl?SID1020391
  644143062Cart10288243744623

30
Main Points in IAPS 1013

• Knowledge of Business
• E-Business Infrastructure
• System and Process Integration
• Dependence on Internet
• Controls over encryption
• Legal issues
• Impact on audit evidence

31
Coverage of Session

• What is meant by e-Business
• What is meant by E-Business Infrastructure
• What is meant by e-Business Security
• Security - Risks and Benefits
• State of E-business Security
• Professional Standards
• Notes on Wireless Security

32
Notes on Wireless Security

• Wireless LANs (WiFi) - 802.11(b)
• WEP
• Bluetooth
• Cell Phones

33
Wireless Network Security (802.11)

• Native system weak - WEP (Wired Equivalency
  Protocol)
• Default is no WEP security needs to be enabled
  at high encryption level
• Set MAC Address Security

34
Need Protection from

• Denial of service attacks
• Parking lot attacks
• Man-in-the Middle Attacks
• Session Hijacking

35
WLAN Security Basic Recommendations

• Develop a Security Policy
• Enable WEP
• Restrict MAC Address Access
• Bluetooth Security
• Profiles - Headset, LAN, PAN
• Passkeys (unit and combination)
• Authentication and encryption

36
Conclusions Needed for e-Business
Infrastructure Security

• Infrastructure Definition and Monitoring
• Infrastructure Level Risk/Benefit Evaluation and
  Implementation
• Process for Ongoing Security Change Management
• Oversight, Resources and Constant Vigilance

37
Presentation for Download

• http//www.zorba.ca/e-Business Security.htm

38
(No Transcript)