1 / 38

Secure e-Business Infrastructure

Secure e-Business Infrastructure. Gerald Trites, CA*CISA, FCA Professor of Accounting and Information Systems St Francis Xavier University. Coverage of Session. What is meant by e-Business What is meant by E-Business Infrastructure What is meant by e-Business Security

gur
Download Presentation

Secure e-Business Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure e-Business Infrastructure Gerald Trites, CA*CISA, FCA Professor of Accounting and Information Systems St Francis Xavier University

  2. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  3. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  4. Definition of e-Business • In a very broad and general sense, electronic business has often been defined as any business carried out in electronic form. • “e-Business is the complex fusion of business processes, enterprise applications, and organizational structure necessary to create a high-performance business model.” - Kalakota and Robinson

  5. Components of e-Business • Strategic internet commerce • Collaborative commerce • Mobile Commerce • E-Business involves a technological and business infrastructure

  6. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  7. E-business Infrastructure - Definitions • Basis for security strategy • Definition - IBM paper (pg 15) • Dell - http://www.dell.com/us/en/esg/topics/products_infrastructure_arc_pedge_000_internet-infra.htm

  8. Infrastructure – a broader perspective • Hardware and operating systems • Networking infrastructure and technology • Intranets, extranets, shared technologies, policies, collaboration, including wireless • Enterprise resource planning • Data management- Data warehousing - Business intelligence applications • Web infrastructure and Internet applications • Software and related infrastructure

  9. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  10. What is meant by e-Business Security • The infrastructure as a whole must be secure • IAPS 1013 – Para 9 • Policies • Risk/Benefit Approach • Administration

  11. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  12. E-Business Risks • We will address the incremental risks of E-business. • Risks that apply to traditional IT also apply to e-business. Some of the controls to address the incremental risks also apply to traditional risks.

  13. General e-Business Security Risks • Web/Internet exposure • Access to back office systems • Integration of collaborative systems • Particular importance of encryption, digital certificates, PKI, etc. • Growth of wireless

  14. E-Business Risks • Incomplete transactions because of network breakdown. • Incomplete or inaccurate transactions because of cracker interception.

  15. E-Business Risks • Unauthorized transactions • Unauthorized access to confidential or personal information

  16. E-business Risks • Parties denying transactions because of insufficient audit trail • Inadequate participation by customers and stakeholders because of lack of confidence in information security, privacy and system reliability • Embarrassment caused by crackers

  17. Some Industry Statistics • In the 2003 “Computer Crime and Security Survey” of the CSI, 56% of the respondents acknowledged financial losses due to customer breaches. • In the same survey, 46% of respondents detected system penetration from the outside and 45% from the inside.

  18. Some Industry Statistics • The cost of these incidents is reported at $201,797,340 USD • In another survey, 17% of CIOs who experienced “external computer crime” said the attacks cost their company more than $1 million (CIO Magazine)

  19. Some Industry Statistics • The results of a test in 2002 showed that, on average, it took 34 hours of forensics research to uncover and understand an unauthorized entry, while it took the cracker less than a minute to crack the system. (Honeynet Project’s Forensics Challenge)

  20. Internet Security Issues • Securing the web server • Securing information that travels between the web server and the user • Protecting the organization’s systems • Protecting the user’s computer

  21. Damages of Website Cracking • Theft of data. • Web site defacement. • Web site alteration, e.g., changing a sentence in the terms and conditions of an e-business service, thus exposing a company to liabilities.

  22. Other Damages of Cracking • Alteration of business systems • Denial of service

  23. Virus Infection • Propagate by email • Infected through data download • Infected through diskettes or internal file transfer

  24. Damage Caused by Viruses • Loss of business information • Down time for mission critical systems • Loss of customer confidence • Unauthorized disclosure of confidential or personal information

  25. Approach to Security • Identify Risks • Costs of those risks • Costs of covering those risks • Make hard decisions

  26. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  27. State of E-business Security • Not well defined • Numerous standards • Defining Infrastructure Helps • Incidents are down and spending is up – good sign

  28. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  29. International Pronouncement IAPS 1013 - Electronic Commerce: Effect on the Audit of Financial Statements • http://www.ifac.org/Store/Details.tmpl?SID=1020391644143062&Cart=10288243744623

  30. Main Points in IAPS 1013 • Knowledge of Business • E-Business Infrastructure • System and Process Integration • Dependence on Internet • Controls over encryption • Legal issues • Impact on audit evidence

  31. Coverage of Session • What is meant by e-Business • What is meant by E-Business Infrastructure • What is meant by e-Business Security • Security - Risks and Benefits • State of E-business Security • Professional Standards • Notes on Wireless Security

  32. Notes on Wireless Security • Wireless LANs (WiFi) - 802.11(b) • WEP • Bluetooth • Cell Phones

  33. Wireless Network Security (802.11) • Native system weak - WEP (Wired Equivalency Protocol) • Default is no WEP security – needs to be enabled at high encryption level • Set MAC Address Security

  34. Need Protection from • Denial of service attacks • Parking lot attacks • Man-in-the Middle Attacks • Session Hijacking

  35. WLAN Security Basic Recommendations • Develop a Security Policy • Enable WEP • Restrict MAC Address Access • Bluetooth Security • Profiles - Headset, LAN, PAN • Passkeys (unit and combination) • Authentication and encryption

  36. Conclusions – Needed for e-Business Infrastructure Security • Infrastructure Definition and Monitoring • Infrastructure Level Risk/Benefit Evaluation and Implementation • Process for Ongoing Security Change Management • Oversight, Resources and Constant Vigilance

  37. Presentation for Download http://www.zorba.ca/e-Business Security.htm

More Related