1 / 41

kpmg

kpmg. Information Risk Management E-Commerce Seminar University of Queensland Duncan C Martin KPMG dcmartin@kpmg.com.au. Disclaimer. This presentation has been prepared by Duncan C Martin, of KPMG IRM in Brisbane. The views expressed are those of the author, and not necessarily those of KPMG.

Download Presentation

kpmg

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. kpmg

  2. Information Risk ManagementE-Commerce SeminarUniversity of QueenslandDuncan C MartinKPMGdcmartin@kpmg.com.au

  3. Disclaimer This presentation has been prepared by Duncan C Martin, of KPMG IRM in Brisbane. The views expressed are those of the author, and not necessarily those of KPMG

  4. Agenda • A few basics • What do we mean by risk? • What’s special about e-Commerce risks? • Approaches to managing certain components of risk • Questions

  5. What is e-Commerce? • Internet-enabled commerce • ‘Sexy’ - but dangerous • Inward risks - hacking, denial of service • Outward risks - unauthorised disclosure of private information and IP • Global network of computer networks (Comparable to the telephone network) • No owner or single administrative body

  6. Types of e-Commerce - 1 • Business to Business (B2B) • Internet enabled relationships with business partners, customers, suppliers (extranets) • Business to Consumer (B2C) • Relationships with individual customers/end-users • Intra-Business (Intra-B) • Relationships within or between internal businesses/functional areas

  7. Types of e-Commerce - 2 • Customer to Business (C2B) • “Reverse” market, where customer dictates product/service and terms of delivery (Priceline) • Customer to Customer (C2C) • Consumers interacting directly to create spot markets (eBay)

  8. Typical stages of e-Commerce • Stage: 1 - establishing an Internet and e-Commerce presence through e-mail • Stage: 2 - establishing a visual e-Commerce presence with a pre-sale and post-sale web site • Stage: 3 - on-line order entry • Stage: 4 - internal integration of web based e-Commerce activities and “back office” functions • Stage: 5 - external integration of seller and buyer networks to allow automated supply-chain management • Stage: 6 - complete integration of technology including core technologies

  9. What is risk? “The exposure to the possibility of such things as economic or financial loss or gain, physical damage, injury or delay, as a consequence of pursuing a particular course of action.”

  10. General risks • Some unique general risks present themselves: • Possible loss of public confidence (if control failures are publicised) • Failure to comply with legal and regulatory requirements (possibly in multiple jurisdictions) • Erosion of traditional control mechanisms (loss of ‘common sense’ and compensating controls) • Technical complexity of infrastructure and systems • High reliance on third-parties (Trust)

  11. Specific risks • Specific e-Commerce risks are many and varied. It is convenient to group them as follows: • Strategic risks • Project and operational risks • Infrastructure risks

  12. Strategic risks • Risks to the e-Commerce initiative due to the overall strategy/plan • E-Commerce strategy itself • Senior management support • Competing organisational priorities • Legal and regulatory issues • Invalid assumptions

  13. Project/operational risks • Risks due to the implementation project itself, IT operations, and routine use of the system • Financial and human resources • In-house expertise • Outsource partners • Stakeholders • Support processes • Monitoring

  14. Infrastructure risks • Risks due to the underlying application and technical (hardware and network) infrastructures • The technical infrastructure • Security over the technical infrastructure • System availability/reliability • Application security controls • Application processing controls • Interfaces with other systems

  15. What and where is the risk? • What is the approach to managing strategic risk? • What is the approach to managing project risk? • What is the approach to managing information and technology risk?

  16. Assessing the risk • E-Commerce strategy relative to overall business goals • E-Commerce program management • Operations management • Application infrastructure • Technology infrastructure

  17. Environmental Threat • Fire • Flood • Earthquake • Hurricane • Extreme heat • Extreme cold Intentional Unintentional • Hardware failures • Software bugs • Operational errors and accidents Outsider • Disgruntled employee • Former employee • Contractor Insider • Hacker • Spy • Fraudster • Unscrupulous competitor Threats

  18. Traditionally • People actively in the loop - policy enforcement • Physical isolation of information • Restricted logical access • Business hours

  19. INTERNET E-Commerce environment • Protection policy enforced by machine • You can talk to a person, you must program a machine • Machines have a hard time with discretion • Any time, any where, service expectation • Millions of potential customers or clients • Different employee to customer ratios and skill sets

  20. Objectives • Making sure the data is not altered as it passes between one end point and another • The use of signatures to ensure the data stream is not altered • Making sure you know who it is you're talking to at the other end • Authentication to verify the remote user • Preventing unauthorised third parties from eavesdropping on your conversation • Encryption to prevent eavesdropping

  21. Traditional security mechanisms • Confidentiality - • Locked file cabinets, drawers, safes, envelopes, personnel, service counters • Integrity • Product seals, shrink-wrap, signatures, barcodes • Availability • Multiple locations, personnel, alternate delivery options • Non-repudiation • Signatures, confirmations, receipts

  22. E-Commerce mechanisms • Confidentiality • Data encryption, automated access controls, access control lists, passwords, tokens, biometrics • Integrity • Digital signatures, permissions, hash algorithms, audit trails • Availability • System redundancies, back-ups, off-site storage, hot/cold recovery sites, fail-over • Non-repudiation • Audit trails and logs, digital signatures and certificates

  23. Encryption • Plaintext to ciphertext • Renders message unreadable • Secret key method - same key to encrypts and decrypts • Public key method - two keys, one kept secret and never transmitted, and the other made public. (Public key method is used to safely send the secret key to the recipient so that the message can be encrypted using the faster secret key algorithm).

  24. Secret key / Public key

  25. Authentication The truth is not always out there! Can I trust you ? Who are you ? What can you do ? Is anybody listening ?

  26. Authentication

  27. Primary barriers to successfully implementing E-commerce solutions Lack of skills Cost Difficult to implement Lack of knowledge Resistance to change Market Security 0 5 10 15 20 25 % of responses Security is #1 150 executives’ opinion of the major barriers to e-Commerce The security factor

  28. How real is the risk? • Of approximately 643 Surveyed organisations • 90% detected security breaches in last 12 months • 85% detected computer virii • 79% detected employee abuse of Internet privileges • 70% reported serious breaches, (inc. Theft of I.P. Financial Loss, System Penetration and DoS Attacks) • 74% acknowledged loss due to computer breaches • Only 42% (273) could quantify loss - this was a total of US$266 million Source: “The Computer Security Institute - “2000 Computer Crime Security Survey” - March 2000

  29. And in the e-Commerce environment • 61 respondents had experienced sabotage of networks at an estimated loss of US$27Million • (Last year US$11Million) • E-Commerce • 93% of respondents have www sites • 64% of those attacked reported Web-site vandalism • 60% reported Denial of Service (DoS) attacks • 43% conduct e-Commerce (30% in 1999) • 19% had had unauthorised access • 32% didn’t know if their systems had been misused • 3% reported financial fraud

  30. Three stages to security • Secure the operating platform • Secure the web server software • Secure the business applications

  31. Secure the operating environment • Remove unnecessary services • Restrict access • physical • logical - ‘two out of three’ • Keep the OS up to date • Keep it simple

  32. Secure the web server • Change the shipped/standard defaults • Keep the web server software updated • Audit web server logs

  33. Secure the application • Test the software • Keep up to date - bug alerts • Security awareness • Segregation of duties • Knowledgable staff

  34. Firewalls • Additional protection (never run the web server on the Firewall itself) • Configurations • Sacrificial lamb • network-firewall-web server-Internet • DMZ (DeMilitarised Zone) • Internal network-firewall-web server-firewall-Internet • Policies • “Except for” - academia • “Only” - corporations • Audit firewall logs

  35. Securing web servers • Security tools • Security scanners • Intrusion detection systems • File modification monitors • Hacker deception tools • Dynamic memory buffering • False responses • Third party services • Penetration testing • Certification

  36. Security policy • Responsibility and accountability • Internet related • Use of tools & review of logs • Incident handling and response • Recovery procedures • Communication and update • Dedicated security resources • Expert resources and reviews

  37. Summary • Multi-layered approach • Platform • Web server • Web applications • Firewalls and tools • Security policy • Security is the continuous assessment of risk against expense • Security is an enabling technology for e-Commerce

  38. Common KPMG findings • Blind reliance on the technology - plug and play • Inadequate network intrusion monitoring controls • Policies and procedures are incomplete or weak

  39. Key messages • Security & e-Commerce have a symbiotic relationship • Risks cannot be totally eliminated but controlled with solutions and procedures • Clients are evaluating PKI solutions for e-Commerce needs • Security risks in e-Commerce are real

  40. Questions ? ? ? ? ?

  41. kpmg

More Related