Embed Size (px)
Citation preview
kpmg
kpmg
Reference XXX 2
© 1999 KPMG © 1999 KPMG
Information Risk Management
E-Commerce SeminarUniversity of Queensland
Duncan C MartinKPMG
kpmg
Reference XXX 3
© 1999 KPMG © 1999 KPMG
Disclaimer
This presentation has been prepared by Duncan C Martin, of KPMG IRM in Brisbane. The views expressed are those of the author, and not necessarily those of KPMG
kpmg
Reference XXX 4
© 1999 KPMG © 1999 KPMG
Agenda
A few basics What do we mean by risk? What’s special about e-Commerce risks? Approaches to managing certain
components of risk Questions
kpmg
Reference XXX 5
© 1999 KPMG © 1999 KPMG
What is e-Commerce?
Internet-enabled commerce ‘Sexy’ - but dangerous
- Inward risks - hacking, denial of service- Outward risks - unauthorised disclosure of
private information and IP
Global network of computer networks (Comparable to the telephone network)
No owner or single administrative body
kpmg
Reference XXX 6
© 1999 KPMG © 1999 KPMG
Types of e-Commerce - 1
Business to Business (B2B)- Internet enabled relationships with business
partners, customers, suppliers (extranets)
Business to Consumer (B2C)- Relationships with individual customers/end-
users
Intra-Business (Intra-B)- Relationships within or between internal
businesses/functional areas
kpmg
Reference XXX 7
© 1999 KPMG © 1999 KPMG
Types of e-Commerce - 2
Customer to Business (C2B)- “Reverse” market, where customer dictates
product/service and terms of delivery (Priceline)
Customer to Customer (C2C)- Consumers interacting directly to create spot
markets (eBay)
kpmg
Reference XXX 8
© 1999 KPMG © 1999 KPMG
Typical stages of e-Commerce
Stage: 1 - establishing an Internet and e-Commerce presence through e-mail
Stage: 2 - establishing a visual e-Commerce presence with a pre-sale and post-sale web site
Stage: 3 - on-line order entry
Stage: 4 - internal integration of web based e-Commerce activities and “back office” functions
Stage: 5 - external integration of seller and buyer networks to allow automated supply-chain management
Stage: 6 - complete integration of technology including core technologies
kpmg
Reference XXX 9
© 1999 KPMG © 1999 KPMG
What is risk?
“The exposure to the possibility of such things as economic or financial loss or gain, physical damage, injury or delay, as a consequence of pursuing a particular course of action.”
kpmg
Reference XXX 10
© 1999 KPMG © 1999 KPMG
General risks
Some unique general risks present themselves:
- Possible loss of public confidence (if control failures are publicised)
- Failure to comply with legal and regulatory requirements (possibly in multiple jurisdictions)
- Erosion of traditional control mechanisms (loss of ‘common sense’ and compensating controls)
- Technical complexity of infrastructure and systems
- High reliance on third-parties (Trust)
kpmg
Reference XXX 11
© 1999 KPMG © 1999 KPMG
Specific risks
Specific e-Commerce risks are many and varied. It is convenient to group them as follows:
- Strategic risks- Project and operational risks- Infrastructure risks
kpmg
Reference XXX 12
© 1999 KPMG © 1999 KPMG
Strategic risks
Risks to the e-Commerce initiative due to the overall strategy/plan
- E-Commerce strategy itself- Senior management support- Competing organisational priorities - Legal and regulatory issues- Invalid assumptions
kpmg
Reference XXX 13
© 1999 KPMG © 1999 KPMG
Project/operational risks
Risks due to the implementation project itself, IT operations, and routine use of the system
- Financial and human resources- In-house expertise- Outsource partners- Stakeholders - Support processes - Monitoring
kpmg
Reference XXX 14
© 1999 KPMG © 1999 KPMG
Infrastructure risks
Risks due to the underlying application and technical (hardware and network) infrastructures
- The technical infrastructure- Security over the technical infrastructure - System availability/reliability - Application security controls - Application processing controls- Interfaces with other systems
kpmg
Reference XXX 15
© 1999 KPMG © 1999 KPMG
What and where is the risk?
What is the approach to managing strategic risk?
What is the approach to managing project risk?
What is the approach to managing information and technology risk?
kpmg
Reference XXX 16
© 1999 KPMG © 1999 KPMG
Assessing the risk
E-Commerce strategy relative to overall business goals
E-Commerce program management Operations management Application infrastructure Technology infrastructure
kpmg
Reference XXX 17
© 1999 KPMG © 1999 KPMG
Threats
Threat
Unintentional
•Hardware failures•Software bugs•Operational errors and accidents
Outsider
•Hacker•Spy•Fraudster•Unscrupulous competitor
•Disgruntled employee
•Former employee
•Contractor
Insider
Intentional•Fire•Flood•Earthquake•Hurricane•Extreme heat•Extreme cold
Environmental
kpmg
Reference XXX 18
© 1999 KPMG © 1999 KPMG
Traditionally
People actively in the loop - policy enforcement
Physical isolation of information Restricted logical access Business hours
kpmg
Reference XXX 19
© 1999 KPMG © 1999 KPMG
E-Commerce environment
Protection policy enforced by machine- You can talk to a person, you must program a
machine- Machines have a hard time with discretion
Any time, any where, service expectation Millions of potential customers or clients Different employee to customer ratios
and skill sets
INTERNET
kpmg
Reference XXX 20
© 1999 KPMG © 1999 KPMG
Objectives
Making sure the data is not altered as it passes between one end point and another
- The use of signatures to ensure the data stream is not altered
Making sure you know who it is you're talking to at the other end
- Authentication to verify the remote user
Preventing unauthorised third parties from eavesdropping on your conversation
- Encryption to prevent eavesdropping
kpmg
Reference XXX 21
© 1999 KPMG © 1999 KPMG
Traditional security mechanisms
Confidentiality --Locked file cabinets, drawers, safes, envelopes, personnel, service counters
Integrity-Product seals, shrink-wrap, signatures, barcodes
Availability-Multiple locations, personnel, alternate delivery options
Non-repudiation-Signatures, confirmations, receipts
kpmg
Reference XXX 22
© 1999 KPMG © 1999 KPMG
E-Commerce mechanisms
Confidentiality- Data encryption, automated access controls, access
control lists, passwords, tokens, biometrics
Integrity- Digital signatures, permissions, hash algorithms,
audit trails
Availability- System redundancies, back-ups, off-site storage,
hot/cold recovery sites, fail-over
Non-repudiation- Audit trails and logs, digital signatures and
certificates
kpmg
Reference XXX 23
© 1999 KPMG © 1999 KPMG
Encryption
Plaintext to ciphertext Renders message unreadable Secret key method - same key to encrypts
and decrypts Public key method - two keys, one kept
secret and never transmitted, and the other made public. (Public key method is used to safely send the secret key to the recipient so that the message can be encrypted using the faster secret key algorithm).
kpmg
Reference XXX 24
© 1999 KPMG © 1999 KPMG
Secret key / Public key
kpmg
Reference XXX 25
© 1999 KPMG © 1999 KPMG
Authentication
Is anybody listening
?
Can I trustyou ?
What can
you do ?
Who are you ?
The truth is not always out there!
kpmg
Reference XXX 26
© 1999 KPMG © 1999 KPMG
Authentication
kpmg
Reference XXX 27
© 1999 KPMG © 1999 KPMG
The security factor
xxx
Primary barriers to successfully implementing E-commerce solutions
0 5 10 15 20 25
Security
Market
Resistance to change
Lack of knowledge
Difficult to implement
Cost
Lack of skills
% of responses
Security is #1 150 executives’ opinion of the major
barriers to e-Commerce
kpmg
Reference XXX 28
© 1999 KPMG © 1999 KPMG
How real is the risk?
Of approximately 643 Surveyed organisations- 90% detected security breaches in last 12 months- 85% detected computer virii- 79% detected employee abuse of Internet privileges- 70% reported serious breaches, (inc. Theft of I.P.
Financial Loss, System Penetration and DoS Attacks)- 74% acknowledged loss due to computer breaches
Only 42% (273) could quantify loss - this was a total of US$266 million
Source: “The Computer Security Institute - “2000 Computer Crime Security Survey” - March 2000
kpmg
Reference XXX 29
© 1999 KPMG © 1999 KPMG
And in the e-Commerce environment
61 respondents had experienced sabotage of networks at an estimated loss of US$27Million
- (Last year US$11Million)
E-Commerce- 93% of respondents have www sites- 64% of those attacked reported Web-site vandalism- 60% reported Denial of Service (DoS) attacks- 43% conduct e-Commerce (30% in 1999)- 19% had had unauthorised access- 32% didn’t know if their systems had been misused- 3% reported financial fraud
kpmg
Reference XXX 30
© 1999 KPMG © 1999 KPMG
Three stages to security
Secure the operating platform Secure the web server software Secure the business applications
kpmg
Reference XXX 31
© 1999 KPMG © 1999 KPMG
Secure the operating environment
Remove unnecessary services Restrict access
- physical- logical - ‘two out of three’
Keep the OS up to date Keep it simple
kpmg
Reference XXX 32
© 1999 KPMG © 1999 KPMG
Secure the web server
Change the shipped/standard defaults Keep the web server software updated Audit web server logs
kpmg
Reference XXX 33
© 1999 KPMG © 1999 KPMG
Secure the application
Test the software Keep up to date - bug alerts Security awareness Segregation of duties Knowledgable staff
kpmg
Reference XXX 34
© 1999 KPMG © 1999 KPMG
Firewalls
Additional protection (never run the web server on the Firewall itself)
Configurations- Sacrificial lamb
- network-firewall-web server-Internet
- DMZ (DeMilitarised Zone)- Internal network-firewall-web server-firewall-
Internet
Policies- “Except for” - academia- “Only” - corporations
Audit firewall logs
kpmg
Reference XXX 35
© 1999 KPMG © 1999 KPMG
Securing web servers
Security tools- Security scanners- Intrusion detection systems- File modification monitors
Hacker deception tools- Dynamic memory buffering- False responses
Third party services- Penetration testing- Certification
kpmg
Reference XXX 36
© 1999 KPMG © 1999 KPMG
Security policy
Responsibility and accountability- Internet related- Use of tools & review of logs- Incident handling and response- Recovery procedures- Communication and update- Dedicated security resources- Expert resources and reviews
kpmg
Reference XXX 37
© 1999 KPMG © 1999 KPMG
Summary
Multi-layered approach- Platform- Web server- Web applications
Firewalls and tools Security policy Security is the continuous assessment of
risk against expense Security is an enabling technology for
e-Commerce
kpmg
Reference XXX 38
© 1999 KPMG © 1999 KPMG
Common KPMG findings
Blind reliance on the technology - plug and play
Inadequate network intrusion monitoring controls
Policies and procedures are incomplete or weak
kpmg
Reference XXX 39
© 1999 KPMG © 1999 KPMG
Key messages
Security & e-Commerce have a symbiotic relationship
Risks cannot be totally eliminated but controlled with solutions and procedures
Clients are evaluating PKI solutions for e-Commerce needs
Security risks in e-Commerce are real
kpmg
Reference XXX 40
© 1999 KPMG © 1999 KPMG
Questions
kpmg
