Title: Secure e-Business Infrastructure
1Secure e-Business Infrastructure
- Gerald Trites, CACISA, FCA
- Professor of Accounting and Information Systems
- St Francis Xavier University
2Coverage of Session
- What is meant by e-Business
- What is meant by E-Business Infrastructure
- What is meant by e-Business Security
- Security - Risks and Benefits
- State of E-business Security
- Professional Standards
- Notes on Wireless Security
3Coverage of Session
- What is meant by e-Business
- What is meant by E-Business Infrastructure
- What is meant by e-Business Security
- Security - Risks and Benefits
- State of E-business Security
- Professional Standards
- Notes on Wireless Security
4Definition of e-Business
- In a very broad and general sense, electronic
business has often been defined as any business
carried out in electronic form. - e-Business is the complex fusion of business
processes, enterprise applications, and
organizational structure necessary to create a
high-performance business model. - Kalakota and
Robinson
5Components of e-Business
- Strategic internet commerce
- Collaborative commerce
- Mobile Commerce
- E-Business involves a technological and business
infrastructure
6Coverage of Session
- What is meant by e-Business
- What is meant by E-Business Infrastructure
- What is meant by e-Business Security
- Security - Risks and Benefits
- State of E-business Security
- Professional Standards
- Notes on Wireless Security
7E-business Infrastructure - Definitions
- Basis for security strategy
- Definition - IBM paper (pg 15)
- Dell - http//www.dell.com/us/en/esg/topics/produc
ts_infrastructure_arc_pedge_000_internet-infra.htm
8Infrastructure a broader perspective
- Hardware and operating systems
- Networking infrastructure and technology
- Intranets, extranets, shared technologies,
policies, collaboration, including wireless - Enterprise resource planning
- Data management- Data warehousing - Business
intelligence applications - Web infrastructure and Internet applications
- Software and related infrastructure
9Coverage of Session
- What is meant by e-Business
- What is meant by E-Business Infrastructure
- What is meant by e-Business Security
- Security - Risks and Benefits
- State of E-business Security
- Professional Standards
- Notes on Wireless Security
10What is meant by e-Business Security
- The infrastructure as a whole must be secure
- IAPS 1013 Para 9
- Policies
- Risk/Benefit Approach
- Administration
11Coverage of Session
- What is meant by e-Business
- What is meant by E-Business Infrastructure
- What is meant by e-Business Security
- Security - Risks and Benefits
- State of E-business Security
- Professional Standards
- Notes on Wireless Security
12E-Business Risks
- We will address the incremental risks of
E-business. - Risks that apply to traditional IT also apply to
e-business. Some of the controls to address the
incremental risks also apply to traditional risks.
13General e-Business Security Risks
- Web/Internet exposure
- Access to back office systems
- Integration of collaborative systems
- Particular importance of encryption, digital
certificates, PKI, etc. - Growth of wireless
14E-Business Risks
- Incomplete transactions because of network
breakdown. - Incomplete or inaccurate transactions because of
cracker interception.
15E-Business Risks
- Unauthorized transactions
- Unauthorized access to confidential or personal
information
16E-business Risks
- Parties denying transactions because of
insufficient audit trail - Inadequate participation by customers and
stakeholders because of lack of confidence in
information security, privacy and system
reliability - Embarrassment caused by crackers
17Some Industry Statistics
- In the 2003 Computer Crime and Security Survey
of the CSI, 56 of the respondents acknowledged
financial losses due to customer breaches. - In the same survey, 46 of respondents detected
system penetration from the outside and 45 from
the inside.
18Some Industry Statistics
- The cost of these incidents is reported at
201,797,340 USD - In another survey, 17 of CIOs who experienced
external computer crime said the attacks cost
their company more than 1 million (CIO Magazine)
19Some Industry Statistics
- The results of a test in 2002 showed that, on
average, it took 34 hours of forensics research
to uncover and understand an unauthorized entry,
while it took the cracker less than a minute to
crack the system. (Honeynet Projects Forensics
Challenge)
20Internet Security Issues
- Securing the web server
- Securing information that travels between the web
server and the user - Protecting the organizations systems
- Protecting the users computer
21Damages of Website Cracking
- Theft of data.
- Web site defacement.
- Web site alteration, e.g., changing a sentence in
the terms and conditions of an e-business
service, thus exposing a company to liabilities.
22Other Damages of Cracking
- Alteration of business systems
- Denial of service
23Virus Infection
- Propagate by email
- Infected through data download
- Infected through diskettes or internal file
transfer
24Damage Caused by Viruses
- Loss of business information
- Down time for mission critical systems
- Loss of customer confidence
- Unauthorized disclosure of confidential or
personal information
25Approach to Security
- Identify Risks
- Costs of those risks
- Costs of covering those risks
- Make hard decisions
26Coverage of Session
- What is meant by e-Business
- What is meant by E-Business Infrastructure
- What is meant by e-Business Security
- Security - Risks and Benefits
- State of E-business Security
- Professional Standards
- Notes on Wireless Security
27State of E-business Security
- Not well defined
- Numerous standards
- Defining Infrastructure Helps
- Incidents are down and spending is up good sign
28Coverage of Session
- What is meant by e-Business
- What is meant by E-Business Infrastructure
- What is meant by e-Business Security
- Security - Risks and Benefits
- State of E-business Security
- Professional Standards
- Notes on Wireless Security
29International Pronouncement
- IAPS 1013 - Electronic Commerce Effect on the
Audit of Financial Statements - http//www.ifac.org/Store/Details.tmpl?SID1020391
644143062Cart10288243744623
30Main Points in IAPS 1013
- Knowledge of Business
- E-Business Infrastructure
- System and Process Integration
- Dependence on Internet
- Controls over encryption
- Legal issues
- Impact on audit evidence
31Coverage of Session
- What is meant by e-Business
- What is meant by E-Business Infrastructure
- What is meant by e-Business Security
- Security - Risks and Benefits
- State of E-business Security
- Professional Standards
- Notes on Wireless Security
32Notes on Wireless Security
- Wireless LANs (WiFi) - 802.11(b)
- WEP
- Bluetooth
- Cell Phones
33Wireless Network Security (802.11)
- Native system weak - WEP (Wired Equivalency
Protocol) - Default is no WEP security needs to be enabled
at high encryption level - Set MAC Address Security
34Need Protection from
- Denial of service attacks
- Parking lot attacks
- Man-in-the Middle Attacks
- Session Hijacking
35WLAN Security Basic Recommendations
- Develop a Security Policy
- Enable WEP
- Restrict MAC Address Access
- Bluetooth Security
- Profiles - Headset, LAN, PAN
- Passkeys (unit and combination)
- Authentication and encryption
36Conclusions Needed for e-Business
Infrastructure Security
- Infrastructure Definition and Monitoring
- Infrastructure Level Risk/Benefit Evaluation and
Implementation - Process for Ongoing Security Change Management
- Oversight, Resources and Constant Vigilance
37Presentation for Download
- http//www.zorba.ca/e-Business Security.htm
38(No Transcript)