slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
kpmg PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 41

kpmg - PowerPoint PPT Presentation

  • Uploaded on

kpmg. Information Risk Management E-Commerce Seminar University of Queensland Duncan C Martin KPMG Disclaimer. This presentation has been prepared by Duncan C Martin, of KPMG IRM in Brisbane. The views expressed are those of the author, and not necessarily those of KPMG.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'kpmg' - jaime-tillman

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Information Risk ManagementE-Commerce SeminarUniversity of QueenslandDuncan C

This presentation has been prepared by Duncan C Martin, of KPMG IRM in Brisbane. The views expressed are those of the author, and not necessarily those of KPMG

  • A few basics
  • What do we mean by risk?
  • What’s special about e-Commerce risks?
  • Approaches to managing certain components of risk
  • Questions
what is e commerce
What is e-Commerce?
  • Internet-enabled commerce
  • ‘Sexy’ - but dangerous
    • Inward risks - hacking, denial of service
    • Outward risks - unauthorised disclosure of private information and IP
  • Global network of computer networks (Comparable to the telephone network)
  • No owner or single administrative body
types of e commerce 1
Types of e-Commerce - 1
  • Business to Business (B2B)
    • Internet enabled relationships with business partners, customers, suppliers (extranets)
  • Business to Consumer (B2C)
    • Relationships with individual customers/end-users
  • Intra-Business (Intra-B)
    • Relationships within or between internal businesses/functional areas
types of e commerce 2
Types of e-Commerce - 2
  • Customer to Business (C2B)
    • “Reverse” market, where customer dictates product/service and terms of delivery (Priceline)
  • Customer to Customer (C2C)
    • Consumers interacting directly to create spot markets (eBay)
typical stages of e commerce
Typical stages of e-Commerce
  • Stage: 1 - establishing an Internet and e-Commerce presence through e-mail
  • Stage: 2 - establishing a visual e-Commerce presence with a pre-sale and post-sale web site
  • Stage: 3 - on-line order entry
  • Stage: 4 - internal integration of web based e-Commerce activities and “back office” functions
  • Stage: 5 - external integration of seller and buyer networks to allow automated supply-chain management
  • Stage: 6 - complete integration of technology including core technologies
what is risk
What is risk?

“The exposure to the possibility of such things as economic or financial loss or gain, physical damage, injury or delay, as a consequence of pursuing a particular course of action.”

general risks
General risks
  • Some unique general risks present themselves:
    • Possible loss of public confidence (if control failures are publicised)
    • Failure to comply with legal and regulatory requirements (possibly in multiple jurisdictions)
    • Erosion of traditional control mechanisms (loss of ‘common sense’ and compensating controls)
    • Technical complexity of infrastructure and systems
    • High reliance on third-parties (Trust)
specific risks
Specific risks
  • Specific e-Commerce risks are many and varied. It is convenient to group them as follows:
    • Strategic risks
    • Project and operational risks
    • Infrastructure risks
strategic risks
Strategic risks
  • Risks to the e-Commerce initiative due to the overall strategy/plan
    • E-Commerce strategy itself
    • Senior management support
    • Competing organisational priorities
    • Legal and regulatory issues
    • Invalid assumptions
project operational risks
Project/operational risks
  • Risks due to the implementation project itself, IT operations, and routine use of the system
    • Financial and human resources
    • In-house expertise
    • Outsource partners
    • Stakeholders
    • Support processes
    • Monitoring
infrastructure risks
Infrastructure risks
  • Risks due to the underlying application and technical (hardware and network) infrastructures
    • The technical infrastructure
    • Security over the technical infrastructure
    • System availability/reliability
    • Application security controls
    • Application processing controls
    • Interfaces with other systems
what and where is the risk
What and where is the risk?
  • What is the approach to managing strategic risk?
  • What is the approach to managing project risk?
  • What is the approach to managing information and technology risk?
assessing the risk
Assessing the risk
  • E-Commerce strategy relative to overall business goals
  • E-Commerce program management
  • Operations management
  • Application infrastructure
  • Technology infrastructure



  • Fire
  • Flood
  • Earthquake
  • Hurricane
  • Extreme heat
  • Extreme cold



  • Hardware failures
  • Software bugs
  • Operational errors and accidents


  • Disgruntled employee
  • Former employee
  • Contractor


  • Hacker
  • Spy
  • Fraudster
  • Unscrupulous competitor
  • People actively in the loop - policy enforcement
  • Physical isolation of information
  • Restricted logical access
  • Business hours
e commerce environment


E-Commerce environment
  • Protection policy enforced by machine
    • You can talk to a person, you must program a machine
    • Machines have a hard time with discretion
  • Any time, any where, service expectation
  • Millions of potential customers or clients
  • Different employee to customer ratios and skill sets
  • Making sure the data is not altered as it passes between one end point and another
    • The use of signatures to ensure the data stream is not altered
  • Making sure you know who it is you're talking to at the other end
    • Authentication to verify the remote user
  • Preventing unauthorised third parties from eavesdropping on your conversation
    • Encryption to prevent eavesdropping
traditional security mechanisms
Traditional security mechanisms
  • Confidentiality -
    • Locked file cabinets, drawers, safes, envelopes, personnel, service counters
  • Integrity
    • Product seals, shrink-wrap, signatures, barcodes
  • Availability
    • Multiple locations, personnel, alternate delivery options
  • Non-repudiation
    • Signatures, confirmations, receipts
e commerce mechanisms
E-Commerce mechanisms
  • Confidentiality
    • Data encryption, automated access controls, access control lists, passwords, tokens, biometrics
  • Integrity
    • Digital signatures, permissions, hash algorithms, audit trails
  • Availability
    • System redundancies, back-ups, off-site storage, hot/cold recovery sites, fail-over
  • Non-repudiation
    • Audit trails and logs, digital signatures and certificates
  • Plaintext to ciphertext
  • Renders message unreadable
  • Secret key method - same key to encrypts and decrypts
  • Public key method - two keys, one kept secret and never transmitted, and the other made public. (Public key method is used to safely send the secret key to the recipient so that the message can be encrypted using the faster secret key algorithm).

The truth is not always out there!

Can I trust

you ?

Who are you ?

What can

you do ?

Is anybody listening ?

the security factor

Primary barriers to successfully implementing E-commerce solutions

Lack of skills


Difficult to implement

Lack of knowledge

Resistance to change









% of responses

Security is #1

150 executives’ opinion of the major

barriers to e-Commerce

The security factor
how real is the risk
How real is the risk?
  • Of approximately 643 Surveyed organisations
    • 90% detected security breaches in last 12 months
    • 85% detected computer virii
    • 79% detected employee abuse of Internet privileges
    • 70% reported serious breaches, (inc. Theft of I.P. Financial Loss, System Penetration and DoS Attacks)
    • 74% acknowledged loss due to computer breaches
  • Only 42% (273) could quantify loss - this was a total of US$266 million

Source: “The Computer Security Institute - “2000 Computer Crime Security Survey” - March 2000

and in the e commerce environment
And in the e-Commerce environment
  • 61 respondents had experienced sabotage of networks at an estimated loss of US$27Million
    • (Last year US$11Million)
  • E-Commerce
    • 93% of respondents have www sites
    • 64% of those attacked reported Web-site vandalism
    • 60% reported Denial of Service (DoS) attacks
    • 43% conduct e-Commerce (30% in 1999)
    • 19% had had unauthorised access
    • 32% didn’t know if their systems had been misused
    • 3% reported financial fraud
three stages to security
Three stages to security
  • Secure the operating platform
  • Secure the web server software
  • Secure the business applications
secure the operating environment
Secure the operating environment
  • Remove unnecessary services
  • Restrict access
    • physical
    • logical - ‘two out of three’
  • Keep the OS up to date
  • Keep it simple
secure the web server
Secure the web server
  • Change the shipped/standard defaults
  • Keep the web server software updated
  • Audit web server logs
secure the application
Secure the application
  • Test the software
  • Keep up to date - bug alerts
  • Security awareness
  • Segregation of duties
  • Knowledgable staff
  • Additional protection (never run the web server on the Firewall itself)
  • Configurations
    • Sacrificial lamb
      • network-firewall-web server-Internet
    • DMZ (DeMilitarised Zone)
      • Internal network-firewall-web server-firewall-Internet
  • Policies
    • “Except for” - academia
    • “Only” - corporations
  • Audit firewall logs
securing web servers
Securing web servers
  • Security tools
    • Security scanners
    • Intrusion detection systems
    • File modification monitors
  • Hacker deception tools
    • Dynamic memory buffering
    • False responses
  • Third party services
    • Penetration testing
    • Certification
security policy
Security policy
  • Responsibility and accountability
    • Internet related
    • Use of tools & review of logs
    • Incident handling and response
    • Recovery procedures
    • Communication and update
    • Dedicated security resources
    • Expert resources and reviews
  • Multi-layered approach
    • Platform
    • Web server
    • Web applications
  • Firewalls and tools
  • Security policy
  • Security is the continuous assessment of risk against expense
  • Security is an enabling technology for e-Commerce
common kpmg findings
Common KPMG findings
  • Blind reliance on the technology - plug and play
  • Inadequate network intrusion monitoring controls
  • Policies and procedures are incomplete or weak
key messages
Key messages
  • Security & e-Commerce have a symbiotic relationship
  • Risks cannot be totally eliminated but controlled with solutions and procedures
  • Clients are evaluating PKI solutions for e-Commerce needs
  • Security risks in e-Commerce are real