1 / 24

eSecurity

eSecurity. AIIA / WITSA Policy Forum 9 March 2001. Eric Keser Principal eSecurity Solutions. e-COMMERCE Security Exposures. New Exposures: Public, private, and not-so-private networks Direct connections with business partners Automated business processes Fewer humans in the loop

felton
Download Presentation

eSecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. eSecurity Solutions eSecurity AIIA / WITSA Policy Forum 9 March 2001 Eric Keser Principal eSecurity Solutions

  2. e-COMMERCESecurity Exposures • New Exposures: • Public, private, and not-so-private networks • Direct connections with business partners • Automated business processes • Fewer humans in the loop • New types of trust relationships = more exposure to threats to security and reliability eSecurity Solutions

  3. e-COMMERCESecurity Attacks • Attacks: • Insiders (83%) and Outsiders (58%) • Easy to learn to hack • www.r00t.org • www.rootshell.com • www.2600.com • www.l0pht.com • www.hackersclub.com • ftp.technotronic.com • oliver.efri.hr/~crv eSecurity Solutions

  4. e-COMMERCESecurity Requirements • To ensure availability of information & services • To securely allow accessto information & services • To prevent loss of integrity of information & transaction • To provide authenticity of all parties • To provide confidentiality of information & transactions • To provide non-repudiation to all parties • To provide an audit log of significant events • To provide fraud prevention and other mis-use controls eSecurity Solutions

  5. e-COMMERCE Technology Solutions 100 • Firewall (81%) • 70-80% mis-configured • Testing 80 % 60 84% External 40 20 72% In-House 0 FIREWALL eSecurity Solutions

  6. e-COMMERCE Technology Solutions 100 • Cryptography • SSL (43%) • SET (47%) • Digital Certificates (69%) 80 % 60 40 20 0 SET SSL FIREWALL Digital Cert. eSecurity Solutions

  7. e-COMMERCE Technology Solutions 100 • Other (81%) • Algorithms • MD5 • SHA • RSA • DES • X.509 • IDEA • Applications • PGP • PEM 80 % 60 40 20 0 SET SSL Other FIREWALL Digital Cert. eSecurity Solutions

  8. e-COMMERCEPeople Solutions • Security Organisational Structure • Roles and Responsibilities • Emergency Response Program • Security Awareness Program • Risk Management Program • Monitoring and Escalation Program eSecurity Solutions

  9. PRIVACY eSecurity Solutions

  10. PRIVACYChanges • Privacy Amendment (Private Sector) Act 2000 is effective 22 December 2001. Imposes privacy obligations for most private sector organisations. • Require compliance with National Privacy Principles (NPPs) or an approved privacy code. eSecurity Solutions

  11. PRIVACYInternational Exchange • Restricts the international transfer of personal information by an Australian organisation. • Recipient country must have in place law, binding scheme or contract which upholds privacy standards equivalent to the NPPs. • Hong Kong, New Zealand and Taiwan have comprehensive privacy regimes in place. eSecurity Solutions

  12. PRIVACYInternational Exchange • Other Asia Pac countries are in process of developing or have in place specific industry codes or guidelines.   • Canada and EU similarly have legislation in place. • USA is still developing their self regulatory model. eSecurity Solutions

  13. PRIVACYSystem Issues • Organisations must provide ‘opt outs’ on all direct marketing material. • Systems are generally not capable of efficiently administering such a system – may need to provide two levels of filters eg one flag which records preference not to receive direct marketing but another flag which ensures general information eg bank statements will still be sent to customer. eSecurity Solutions

  14. PRIVACYSystem Issues • Organisations also need to provide individuals with access to their information. • May be an administrative burden where information retained on disparate systems. Also issue where customer representatives are recording ‘notes’ on systems. • Inadequate security measures on systems have not been implemented. eSecurity Solutions

  15. THE LAW eSecurity Solutions

  16. LAWTyranny of Distance • Modern communication lines and Information technology have opened a new area of data transfer, which in turn has developed a new form of criminal element. • With the advent of the cyber criminal, law enforcement have been confronted with inadequate legislation, the requirement to implement new techniques, as well as dealing with cross jurisdictional issues eSecurity Solutions

  17. LAWJurisdictional Issues • Where was the crime committed? • Who should investigate the Crime? • Who will bear the cost of the Investigation? • Who has the appropriate Legislation to pursue the criminal? eSecurity Solutions

  18. LAWPolicing the Internet • Each country has it’s own answer • Most rely on traditional crime legislation to cover crime on the Internet • Different approaches compound the difficulties of successful pursuit and prosecution • Civil remedies can succeed where criminal prosecution is failing eSecurity Solutions

  19. THE LAWWhich Law? • Offences can now occur across the World, but an incident which equates to an offence in one country does not necessarily equal an offence in the other. • A recent example of this is the ‘Love Bug’, an investigation was commenced in the USA (where the spread of a computer virus is recognised as an offence) which led to a suspect being tracked to the Philippines , many problems arose as the country where the suspect was located did not have laws which recognised the spread of a computer virus as an offence. eSecurity Solutions

  20. THE LAWOffence Vs Cost • What was the monetary value of the occurrence • Vs • Cost of sending investigators to the suspects location • Cost of interviewing witness’s at their location • Cost of collating the evidence • Cost of prosecution eSecurity Solutions

  21. THE LAWWhere was it committed? • The simple premise of “where the crime was committed” causes issues for Law Enforcement: • Does the Offender sitting in his bedroom commit the offence from his house? • Or is the offence committed on the server he has just hacked into? • Does the Law Enforcement investigators have the statute to investigate the offence on either side? • Can either area successfully prosecute for the offence? eSecurity Solutions

  22. THE LAWExisting IT crime laws • Computer Trespass (Victorian Statute) • Victorian Statute - Summary Offences Act.1966.7405.9.a. • Improper Use of Telecommunications Services • Commonwealth Crimes Act 85ZE • Defrauding a Carrier • Commonwealth Crimes Act 85ZF eSecurity Solutions

  23. THE LAWOther offences • Criminal damage • Crimes Act.1958.6231.197.1 • Obtain Financial Advantage by Deception • Crimes Act.1958.6231. 82 • Falsification of Documents • Crimes Act.1958.6231. Sec.83A.(9) • Theft? • Crimes Act.1958.74 eSecurity Solutions

  24. eSecurity Solutions Questions

More Related