Presentation is loading. Please wait.

Presentation is loading. Please wait.

&. Who Are We? KPMG Risk And Advisory Services Manage risk in automated and financial systems Understand risks consistent with business need Evaluate.

Similar presentations


Presentation on theme: "&. Who Are We? KPMG Risk And Advisory Services Manage risk in automated and financial systems Understand risks consistent with business need Evaluate."— Presentation transcript:

1 &

2 Who Are We? KPMG Risk And Advisory Services Manage risk in automated and financial systems Understand risks consistent with business need Evaluate mitigation measures consistent with business need Recommend controls and solutions consistent with business need Carl Salmonsen CISA CISSP B.S. Mgmt Sci 14 years in IT and Information Security John Mee CISSP MSc Comp. Sci. 18 years in IT and Information Security

3 …... eCommerce…...Why? Lower CostLower Cost Increased EfficiencyIncreased Efficiency Speed to MarketSpeed to Market Increased Security (huh??)Increased Security (huh??) Improved Customer ServiceImproved Customer Service Creates New ServicesCreates New Services More Diverse Customer BaseMore Diverse Customer Base Physical Size and Location Don't MatterPhysical Size and Location Don't Matter

4 High Profile Examples eCommerce Amazon.com - The Internet’s largest virtual bookstore Security First National Bank - The first original virtual bank eTrade - An online stock broker at reduced prices Wall Street Journal Interactive - An online version of the WSJ eCommerce Use of a common electronic medium Perform commercial exchanges of value Transaction between two entities Commonalties in examples drive definition

5 Emerging eCommerce Examples eCommerce Digital Content – Peer-to-Peer (starting with Napster); Apples iTunes Music Store, Mobile eCommerce - Vending (and other) machine purchases Using cell phone of other specialized token or smart card (Europe), Master Card - August 28, MasterCard International today unveiled MasterCard® SideCard™, the stylish new payment card which features a modified design small enough to fit on a key ring. MicroPayments – Allows Web Surfers a method to make small Purchases (under $1) for tidbits of on-line content.

6 Are Internet (and other) security issues over- hyped? YES But....there are valid concerns

7 Traditional Risks Risks! Lack of Privacy or Confidentiality Transaction Integrity False Identification of Transaction Participants Inability to Prove Transactions Occurred False Storefronts

8 Somewhat Recent Past Intrusions 1997: Using another employee’s ID and password, a disgruntled ex-Forbes business unit employee disrupted the internal communications network, creating an estimated $100,00 damage Forbes 1994: Using the Fedwire system, Russian hackers compromised passwords and PINs to make more than 40 unauthorized wire transfers totaling nearly $10 million.. Citibank 1997: German hackers, Chaos Computer Club, demonstrated to German TV audiences an ActiveX module that allows Quicken to transfer money without needing to enter the software’s normal security systems. Chaos Club Risks!

9 Current Incidents Variety of different scams since the late 1990’s including: Criminals buy ATMs and install them in small businesses to obtain the user's mag-stripe and PIN info; Plastic covers inserted into machines and over keypads to capture PIN info; Cardboard or plastic inserted to trap card – thief shoulder- surfs to obtain PIN. WaMu: at least three customers have had their ATM access information stolen and used to access their accounts. ATMs November: A thief broke into a Wells Fargo Contractor's office in Concord and stole a laptop computer containing personal customer information including names, social security numbers, home addresses and banking habits. Wells Fargo Risks! Customers receive under the subject “PayPal Verfication” with a return address of asks customer to verify their confidential information by replying to the or directed to an bogus Internet PayPal

10 Future Risks Risks! Dramatic growth in B-B, B-C, and B-E Internet terminals in stores, airports, bars Self-Checkout stands Anything that contains personal information Such as a magnetic strip on a card In Short- Driver's License Credit Card ATM Card Medical Provider Cards

11 MY NETWORK Where is the threat coming from? Disgruntled/Former Employees Competitors Crooks Foreign Governments Hackers

12 Business to Consumer Risks Internet Firewall InternalNetwork Web Server Remote Users accessing EC application over the Internet RISKS Intercepted transmission Denial of service Network intrusion

13 Business to Business Risks Internet Firewall InternalNetwork RISKS Loss of availability Can’t confirm transmission received Eavesdropping Firewall InternalNetwork

14 Potential Business Impact Public Embarrassment / Image Compromised Confidential Information Compromised Integrity Of Information Disruption of Services (System / Network Outages) Fraud or Theft of Services Financial Liability Criminal Liability Under State or Federal Laws

15 How Do You Implement Adequate Security?

16 Security methodology Proper security must provide the appropriate assurance that in any transaction: Both parties are identified and authenticated Both parties can only perform the actions they are supposed to The transaction information is correct/unaltered The transaction is kept confidential There is proof the transaction occurred (no-repudiation)

17 Security methodology These assurances provide: A Secure Solution Identification Authentication Authorization Confidentiality Integrity Non-Repudiation

18 The EC Security Toolkit Firewalls Strong authentication Public key technology Secure Protocols Virtual Private Networks General system security

19 The EC Security Toolkit Firewalls Strong authentication Public key technology Secure Protocols Virtual Private Networks General system security

20 Firewall Solutions Functions of a Firewall Between a trusted and untrusted network Controls traffic based on service, source, destination, user ID Deny everything that is not specifically allowed

21 The EC Security Toolkit Firewalls Strong authentication Public key technology Secure Protocols Virtual Private Networks General system security

22 Strong Authentication What you know, what you have, what you are (where you are?) Uses two of the above Several main types Time based tokens Challenge response Public key (client side certificates) Smart card based

23 Leading Authentication Examples IDs & Passwords Benefits: Users are comfortable Risks: Easily compromised or cracked! Digital Certificates Benefits: Can be invisible to the user Risks: Require infrastructure, trust hierarchy Smartcards Benefits: Strong link back to specific user Risks: Deploying readers, inconvenient for user

24 The EC Security Toolkit Firewalls Strong authentication Public key technology Secure Protocols Virtual Private Networks General system security

25 Entity One (Business a.k.a. Bank of David) Entity Two (User a.k.a. Fred) Security Architecture The Transaction Model Application Server End User PC Web Server Firewall Business Application End User Internet

26 Entity One (Business a.k.a. Bank of David) Entity Two (User a.k.a. Fred) Application Server End User PC Web Server Security Architecture The Transaction Model Authentication Services Firewall Authentication Server Authentication Client User ID & Password Yes/No Response Internet

27 Entity One (Business a.k.a. Bank of David) Entity Two (User a.k.a. Fred) Application Server End User PC Web Server Authentication Server Authentication Client Security Architecture The Transaction Model Cryptography Services Private Key Public Key Storage Private Key Firewall Internet Encrypt with business’ public key Decrypt with business’ private key Encrypt with user’s private digital signature key Decrypt with user’s public digital signature key

28 Security Architecture The Transaction Model Putting it Together Internet Entity One (Business a.k.a. Bank of David) Entity Two (User a.k.a. Fred) Private Key Public Key Storage Private Key Application Server End User PC Web Server Firewall Authentication Server Computes message hash X=  [  (y)*  ] End User Signature Encrypts message hash with user’s private key Certificate Authority Certificate Directory Authentication Client

29 Security Architecture The Transaction Model Putting it Together Entity One (Business a.k.a. Bank of David) Entity Two (User a.k.a. Fred) Private Key Public Key Storage Private Key Application Server End User PC Web Server Firewall Authentication Server Certificate Authority Certificate Directory Authentication Client End User Signature User Certificate End User Signature User Certificate Internet End User Signature User Certificate

30 Re-computes message hash X=  [  (y)*  ] End User Signature Decrypts message hash with user’s public key Security Architecture The Transaction Model Entity One (Business a.k.a. Bank of David) Entity Two (User a.k.a. Fred) Private Key Public Key Storage Private Key Application Server End User PC Web Server Firewall Authentication Server Certificate Authority Certificate Directory Authentication Client Internet

31 The EC Security Toolkit Firewalls Strong authentication Public key technology Secure Protocols Virtual Private Networks General system security

32 Secure Protocols ä S-HTTP ä security enhanced version of the HTTP protocol ä wraps entire message in a secure envelope ä SSL ä secures the channel with session keys ä provides data encryption, server and client ä authentication in version 3 ä SET ä provides authentication and encryption for credit ä card transactions

33 The EC Security Toolkit Firewalls Strong authentication Public key technology Secure Protocols Virtual Private Networks General system security

34 Virtual Private Networks Internet ä Encrypted tunnel ä Varying levels of trust ä Multiple business applications

35 The EC Security Toolkit Firewalls Strong authentication Public key technology Secure Protocols Virtual Private Networks General system security

36 Traditional Security Host security Secure applications / programming Network security / partitioning Physical security Policies, procedures, guidelines, standards

37 Some Common Mistakes Waiting too late to consider security Don’t analyze business risks Give security to junior member on team Pick a solution when you don’t understand the technology Ignore operating system level security Thinking IDs and passwords are enough

38 Legislative Considerations SB 1386 HIPAA Graham Leach Bliley

39 SB Breach Notification Law Any agency or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person

40 individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: SB Personal Information Defined –Social security number –Driver's license number or California Identification Card number. –Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account

41 SB Penalties : –(a) Any customer injured by a violation of this title may institute a civil action to recover damages. –(b) Any business that violates, proposes to violate, or has violated this title may be enjoined. –(c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.

42 Legislative Considerations SB 1386 HIPAA Graham Leach Bliley

43 Health Information Portability and Accountability Act HIPAA requires the development of comprehensive security programs to protect healthcare data. nPublic Law , August 21, 1996 nAmends Internal Revenue Service Code of 1986 nGuarantees Health Coverage When Job Changes nIntended to Reduce Fraud and Abuse (Medicare/Medicaid) nPreempts State Laws Unless More Stringent

44 HIPAA Summary Administrative Simplification - Establishes national standards for: –Electronic (EDI) transactions; –Identifiers such as provider, payer and employer; and –Improved efficiency of processing health care information. Privacy - Protect patient data from inappropriate disclosure or use. –Require consent to use protected health information for treatment, payment and operations for healthcare; –Allow health information to be disclosed without patient authorization for certain purposes (such as research, public health and oversight) but only under defined circumstances; –Require written authorization for use and disclosure of health information for other purposes; –Create a set of fair information practices to inform patients how their information is used and disclosed, ensure they have access to information about them; and Security - Establish safeguards around patient information systems preventing unauthorized access. –Administrative procedures; –Physical safeguards; –Technical security mechanisms, including processes used to prevent unauthorized access to data transmitted over a communications network.

45 Legislative Controls and Remedies SB 1386 HIPAA Gramm-Leach Bliley

46 GLB Summary In 1999 Congress enacted the Gramm-Leach-Bliley Act (GLB), significantly revising the way in which the financial services industry is regulated. GLB includes measures to protect the privacy of personal nonpublic information collected and used by financial service providers. –Notice to customers by the firm of its policies and practices regarding nonpublic information; –Permission for customers to "Opt Out" of disclosure by the firm of information to certain nonaffiliated third parties; –Limitations on disclosure by the firm to third parties, and various exceptions to the limitations; and –Review and maintenance of safeguards to maintain the security of customer information.

47 Closing Comments Good security solutions are available; the key is applying them Public perception will change over time Need to focus on business risks

48


Download ppt "&. Who Are We? KPMG Risk And Advisory Services Manage risk in automated and financial systems Understand risks consistent with business need Evaluate."

Similar presentations


Ads by Google