Secure e-Business Infrastructure - PowerPoint PPT Presentation

oshin
secure e business infrastructure l.
Skip this Video
Loading SlideShow in 5 Seconds..
Secure e-Business Infrastructure PowerPoint Presentation
Download Presentation
Secure e-Business Infrastructure

play fullscreen
1 / 38
Download Presentation
Secure e-Business Infrastructure
560 Views
Download Presentation

Secure e-Business Infrastructure

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Secure e-Business Infrastructure Gerald Trites, CA*CISA, FCA Professor of Accounting and Information Systems St Francis Xavier University

  2. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  3. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  4. Definition of e-Business • In a very broad and general sense, electronic business has often been defined as any business carried out in electronic form. • “e-Business is the complex fusion of business processes, enterprise applications, and organizational structure necessary to create a high-performance business model.” - Kalakota and Robinson

  5. Components of e-Business • Strategic internet commerce • Collaborative commerce • Mobile Commerce • E-Business involves a technological and business infrastructure

  6. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  7. E-business Infrastructure - Definitions • Basis for security strategy • Definition - IBM paper (pg 15) • Dell - http://www.dell.com/us/en/esg/topics/products_infrastructure_arc_pedge_000_internet-infra.htm

  8. Infrastructure – a broader perspective • Hardware and operating systems • Networking infrastructure and technology • Intranets, extranets, shared technologies, policies, collaboration, including wireless • Enterprise resource planning • Data management- Data warehousing - Business intelligence applications • Web infrastructure and Internet applications • Software and related infrastructure

  9. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  10. What is meant by e-Business Security • The infrastructure as a whole must be secure • IAPS 1013 – Para 9 • Policies • Risk/Benefit Approach • Administration

  11. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  12. E-Business Risks • We will address the incremental risks of E-business. • Risks that apply to traditional IT also apply to e-business. Some of the controls to address the incremental risks also apply to traditional risks.

  13. General e-Business Security Risks • Web/Internet exposure • Access to back office systems • Integration of collaborative systems • Particular importance of encryption, digital certificates, PKI, etc. • Growth of wireless

  14. E-Business Risks • Incomplete transactions because of network breakdown. • Incomplete or inaccurate transactions because of cracker interception.

  15. E-Business Risks • Unauthorized transactions • Unauthorized access to confidential or personal information

  16. E-business Risks • Parties denying transactions because of insufficient audit trail • Inadequate participation by customers and stakeholders because of lack of confidence in information security, privacy and system reliability • Embarrassment caused by crackers

  17. Some Industry Statistics • In the 2003 “Computer Crime and Security Survey” of the CSI, 56% of the respondents acknowledged financial losses due to customer breaches. • In the same survey, 46% of respondents detected system penetration from the outside and 45% from the inside.

  18. Some Industry Statistics • The cost of these incidents is reported at $201,797,340 USD • In another survey, 17% of CIOs who experienced “external computer crime” said the attacks cost their company more than $1 million (CIO Magazine)

  19. Some Industry Statistics • The results of a test in 2002 showed that, on average, it took 34 hours of forensics research to uncover and understand an unauthorized entry, while it took the cracker less than a minute to crack the system. (Honeynet Project’s Forensics Challenge)

  20. Internet Security Issues • Securing the web server • Securing information that travels between the web server and the user • Protecting the organization’s systems • Protecting the user’s computer

  21. Damages of Website Cracking • Theft of data. • Web site defacement. • Web site alteration, e.g., changing a sentence in the terms and conditions of an e-business service, thus exposing a company to liabilities.

  22. Other Damages of Cracking • Alteration of business systems • Denial of service

  23. Virus Infection • Propagate by email • Infected through data download • Infected through diskettes or internal file transfer

  24. Damage Caused by Viruses • Loss of business information • Down time for mission critical systems • Loss of customer confidence • Unauthorized disclosure of confidential or personal information

  25. Approach to Security • Identify Risks • Costs of those risks • Costs of covering those risks • Make hard decisions

  26. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  27. State of E-business Security • Not well defined • Numerous standards • Defining Infrastructure Helps • Incidents are down and spending is up – good sign

  28. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  29. International Pronouncement IAPS 1013 - Electronic Commerce: Effect on the Audit of Financial Statements • http://www.ifac.org/Store/Details.tmpl?SID=1020391644143062&Cart=10288243744623

  30. Main Points in IAPS 1013 • Knowledge of Business • E-Business Infrastructure • System and Process Integration • Dependence on Internet • Controls over encryption • Legal issues • Impact on audit evidence

  31. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  32. Notes on Wireless Security • Wireless LANs (WiFi) - 802.11(b) • WEP • Bluetooth • Cell Phones

  33. Wireless Network Security (802.11) • Native system weak - WEP (Wired Equivalency Protocol) • Default is no WEP security – needs to be enabled at high encryption level • Set MAC Address Security

  34. Need Protection from • Denial of service attacks • Parking lot attacks • Man-in-the Middle Attacks • Session Hijacking

  35. WLAN Security Basic Recommendations • Develop a Security Policy • Enable WEP • Restrict MAC Address Access • Bluetooth Security • Profiles - Headset, LAN, PAN • Passkeys (unit and combination) • Authentication and encryption

  36. Conclusions – Needed for e-Business Infrastructure Security • Infrastructure Definition and Monitoring • Infrastructure Level Risk/Benefit Evaluation and Implementation • Process for Ongoing Security Change Management • Oversight, Resources and Constant Vigilance

  37. Presentation for Download http://www.zorba.ca/e-Business Security.htm