ECOMMERCE - PowerPoint PPT Presentation

Loading...

PPT – ECOMMERCE PowerPoint presentation | free to download - id: 1b7915-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

ECOMMERCE

Description:

Evaluate mitigation measures consistent with business need ... MSc Comp. Sci. 18 years in IT and Information Security. eCommerce. Why? Lower Cost ... – PowerPoint PPT presentation

Number of Views:11
Avg rating:3.0/5.0
Slides: 49
Provided by: CSUS5
Learn more at: http://www.csus.edu
Category:
Tags: ecommerce | comp

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: ECOMMERCE


1
ECOMMERCE

SECURITY
2
Who Are We?
  • KPMG Risk And Advisory Services
  • Manage risk in automated and financial systems
  • Understand risks consistent with business need
  • Evaluate mitigation measures consistent with
    business need
  • Recommend controls and solutions consistent with
    business need

3
eCommerce... Why?
  • Lower Cost
  • Increased Efficiency
  • Speed to Market
  • Increased Security (huh??)
  • More Diverse Customer Base
  • Improved Customer Service
  • Creates New Services
  • Physical Size and Location Don't Matter

4
eCommerce
High Profile Examples
Amazon.com - The Internets largest virtual
bookstore Security First National Bank - The
first original virtual bank eTrade - An online
stock broker at reduced prices Wall Street
Journal Interactive - An online version of the
WSJ
5
eCommerce
Emerging eCommerce Examples
Digital Content Peer-to-Peer (starting with
Napster) Apples iTunes Music Store, Mobile
eCommerce - Vending (and other) machine
purchases Using cell phone of other specialized
token or smart card (Europe), Master Card -
August 28, 2003 - MasterCard International today
unveiled MasterCard SideCard, the stylish new
payment card which features a modified design
small enough to fit on a key ring. MicroPayments
Allows Web Surfers a method to make small
Purchases (under 1) for tidbits of on-line
content.
6
Are Internet (and other) security issues
over-hyped?
  • YES
  • But....there are valid concerns

7
Risks!
Traditional Risks
8
Risks!
Somewhat Recent Past Intrusions
9
Risks!
Current Incidents
10
Risks!
Future Risks
  • Dramatic growth in B-B, B-C, and B-E
  • Internet terminals in stores, airports, bars
  • Self-Checkout stands

In Short-
Anything that contains personal information Such
as a magnetic strip on a card
  • Driver's License
  • Credit Card
  • ATM Card
  • Medical Provider Cards

11
Where is the threat coming from?
MY NETWORK
12
Business to Consumer Risks
Web Server
  • RISKS
  • Intercepted transmission
  • Denial of service
  • Network intrusion

Remote Users accessing EC application over the
Internet
13
Business to Business Risks
Firewall
Firewall
Internal Network
Internal Network
Internet
  • RISKS
  • Loss of availability
  • Cant confirm transmission received
  • Eavesdropping

14

Potential Business Impact
  • Public Embarrassment / Image
  • Compromised Confidential Information
  • Compromised Integrity Of Information
  • Disruption of Services (System / Network Outages)
  • Fraud or Theft of Services
  • Financial Liability
  • Criminal Liability Under State or Federal Laws

15
How Do You Implement Adequate Security?
16
Security methodology
  • Proper security must provide the appropriate
    assurance that in any transaction
  • Both parties are identified and authenticated
  • Both parties can only perform the actions they
    are supposed to
  • The transaction information is correct/unaltered
  • The transaction is kept confidential
  • There is proof the transaction occurred
    (no-repudiation)

17
Security methodology
  • These assurances provide
  • Identification
  • Authentication
  • Authorization

A Secure Solution
  • Confidentiality
  • Integrity
  • Non-Repudiation

18
The EC Security Toolkit
  • Firewalls
  • Strong authentication
  • Public key technology
  • Secure Protocols
  • Virtual Private Networks
  • General system security

19
The EC Security Toolkit
  • Firewalls
  • Strong authentication
  • Public key technology
  • Secure Protocols
  • Virtual Private Networks
  • General system security

20
Firewall Solutions
  • Functions of a Firewall
  • Between a trusted and untrusted network
  • Controls traffic based on service, source,
    destination, user ID
  • Deny everything that is not specifically allowed

21
The EC Security Toolkit
  • Firewalls
  • Strong authentication
  • Public key technology
  • Secure Protocols
  • Virtual Private Networks
  • General system security

22
Strong Authentication
  • What you know, what you have, what you are (where
    you are?)
  • Uses two of the above
  • Several main types
  • Time based tokens
  • Challenge response
  • Public key (client side certificates)
  • Smart card based

23
Leading Authentication Examples
  • IDs Passwords
  • Benefits Users are comfortable
  • Risks Easily compromised or cracked!
  • Digital Certificates
  • Benefits Can be invisible to the user
  • Risks Require infrastructure, trust hierarchy
  • Smartcards
  • Benefits Strong link back to specific user
  • Risks Deploying readers, inconvenient for user

24
The EC Security Toolkit
  • Firewalls
  • Strong authentication
  • Public key technology
  • Secure Protocols
  • Virtual Private Networks
  • General system security

25
Security Architecture
The Transaction Model
Entity One (Business a.k.a. Bank of David)
Entity Two (User a.k.a. Fred)
26
Security Architecture
The Transaction Model Authentication Services
Application Server
Web Server
Firewall
Entity One (Business a.k.a. Bank of David)
End User PC
Entity Two (User a.k.a. Fred)
27
Security Architecture
The Transaction Model Cryptography Services
Authentication Client
Authentication Server
Application Server
Web Server
Firewall
Entity One (Business a.k.a. Bank of David)
Internet
End User PC
Entity Two (User a.k.a. Fred)
28
Security Architecture
The Transaction Model Putting it Together
Authentication Client
Authentication Server
Application Server
Web Server
Firewall
Public Key Storage
Entity One (Business a.k.a. Bank of David)
Internet
End User PC
Entity Two (User a.k.a. Fred)
29
Security Architecture
The Transaction Model Putting it Together
Authentication Client
Authentication Server
Application Server
Web Server
Firewall
Public Key Storage
Entity One (Business a.k.a. Bank of David)
End User PC
Entity Two (User a.k.a. Fred)
30
Security Architecture
The Transaction Model
Authentication Client
Authentication Server
Application Server
Web Server
Firewall
Public Key Storage
Entity One (Business a.k.a. Bank of David)
End User PC
Entity Two (User a.k.a. Fred)
31
The EC Security Toolkit
  • Firewalls
  • Strong authentication
  • Public key technology
  • Secure Protocols
  • Virtual Private Networks
  • General system security

32
Secure Protocols
  • S-HTTP
  • security enhanced version of the HTTP protocol
  • wraps entire message in a secure envelope
  • SSL
  • secures the channel with session keys
  • provides data encryption, server and client
  • authentication in version 3
  • SET
  • provides authentication and encryption for credit
  • card transactions

33
The EC Security Toolkit
  • Firewalls
  • Strong authentication
  • Public key technology
  • Secure Protocols
  • Virtual Private Networks
  • General system security

34
Virtual Private Networks
  • Encrypted tunnel
  • Varying levels of trust
  • Multiple business applications

Internet
35
The EC Security Toolkit
  • Firewalls
  • Strong authentication
  • Public key technology
  • Secure Protocols
  • Virtual Private Networks
  • General system security

36
Traditional Security
  • Host security
  • Secure applications / programming
  • Network security / partitioning
  • Physical security
  • Policies, procedures, guidelines, standards

37
Some Common Mistakes
  • Waiting too late to consider security
  • Dont analyze business risks
  • Give security to junior member on team
  • Pick a solution when you dont understand the
    technology
  • Ignore operating system level security
  • Thinking IDs and passwords are enough

38
Legislative Considerations
  • SB 1386
  • HIPAA
  • Graham Leach Bliley

39
SB 1386 - Breach Notification Law
  • Any agency or entity that owns or licenses
    computerized data that includes personal
    information
  • shall disclose any breach of the security of the
    system following discovery or notification of the
    breach in the security of the data
  • to any  resident of California whose unencrypted
    personal information was, or is reasonably
    believed to have been, acquired by an
    unauthorized person

40
SB1386 - Personal Information Defined
  • individual's first name or first initial and last
    name in combination with any one or more of the
    following data elements, when either thename or
    the data elements are not encrypted
  • Social security number
  • Driver's license number or California
    Identification Card number.
  • Account number, credit or debit card number, in
    combination with any required security code,
    access code, or password that would permit access
    to an individual's financial account

41
SB1386 - Penalties
  • 1798.84
  • (a) Any customer injured by a violation of this
    title may institute a civil action to recover
    damages.
  • (b) Any business that violates, proposes to
    violate, or has violated this title may be
    enjoined.
  • (c) The rights and remedies available under this
    section are cumulative to each other and to any
    other rights and remedies available under law.

42
Legislative Considerations
  • SB 1386
  • HIPAA
  • Graham Leach Bliley

43
Health Information Portability and Accountability
Act
  • HIPAA requires the development of comprehensive
    security programs to protect healthcare data.
  • Public Law 104-191, August 21, 1996
  • Amends Internal Revenue Service Code of 1986
  • Guarantees Health Coverage When Job Changes
  • Intended to Reduce Fraud and Abuse
    (Medicare/Medicaid)
  • Preempts State Laws Unless More Stringent

44
HIPAA Summary
  • Administrative Simplification - Establishes
    national standards for
  • Electronic (EDI) transactions
  • Identifiers such as provider, payer and employer
    and
  • Improved efficiency of processing health care
    information.
  • Privacy - Protect patient data from inappropriate
    disclosure or use.
  • Require consent to use protected health
    information for treatment, payment and operations
    for healthcare
  • Allow health information to be disclosed without
    patient authorization for certain purposes (such
    as research, public health and oversight) but
    only under defined circumstances
  • Require written authorization for use and
    disclosure of health information for other
    purposes
  • Create a set of fair information practices to
    inform patients how their information is used and
    disclosed, ensure they have access to information
    about them and
  • Security - Establish safeguards around patient
    information systems preventing unauthorized
    access.
  • Administrative procedures
  • Physical safeguards
  • Technical security mechanisms, including
    processes used to prevent unauthorized access to
    data transmitted over a communications network.

45
Legislative Controls and Remedies
  • SB 1386
  • HIPAA
  • Gramm-Leach Bliley

46
GLB Summary
  • In 1999 Congress enacted the Gramm-Leach-Bliley
    Act (GLB), significantly revising the way in
    which the financial services industry is
    regulated. GLB includes measures to protect the
    privacy of personal nonpublic information
    collected and used by financial service
    providers.
  • Notice to customers by the firm of its policies
    and practices regarding nonpublic information
  • Permission for customers to "Opt Out" of
    disclosure by the firm of information to certain
    nonaffiliated third parties
  • Limitations on disclosure by the firm to third
    parties, and various exceptions to the
    limitations and
  • Review and maintenance of safeguards to maintain
    the security of customer information.

47
Closing Comments
  • Good security solutions are available the key is
    applying them
  • Public perception will change over time
  • Need to focus on business risks

48
THE END
About PowerShow.com