E-business Security and Control

1
E-business Security and Control

2
Opening Case Visa

• 10 commandments for online merchants
• Maintaining a network firewall
• Keeping security patches up to date
• Encrypting stored data
• Restricting data access on the basis of need to
  know
• Using updated antivirus software, etc.

3
Threat of Accidents and Malfunctions
4
Figure 13.1
5

• Operator error
• Hardware malfunction
• Software bugs
• Data errors
• Accidental disclosure of information
• Damage to physical facilities
• Inadequate system performance
• Liability for system failure

6
Threat of Computer Crime
7
Figure 13.2
8
Theft

• Theft of software and equipment
• Unauthorized use of access codes and financial
  passwords
• Theft by entering fraudulent transaction data
• Theft by stealing or modifying data
• Internet hoaxes for illegal gain
• Theft by modifying software

9
Sabotage and Vandalism

• Trap door
• A set of instructions that permits a user to
  bypass the computer systems security measures
• Trojan horse
• A program that appears to be valid but contains
  hidden instructions that can cause damage

10

• Logic bomb
• A type of Trojan horse set to activate when a
  particular condition occurs
• Virus
• A special type of Trojan horse that can replicate
  itself and spread
• Denial of service attack
• Sabotaging a Web site by flooding it with
  incoming messages

11
Factors that Increase the Risks

• The nature of complex systems
• Human limitations
• Pressures in the business environment

12
Methods for Minimizing Risks

• Controlling system development and modifications
• Software change control systems
• Providing security training
• Physical access controls

13
Controlling Access to Data, Computers, and
Networks

• Guidelines for manual data handling
• Access privileges
• Access control based on what you know
• Password schemes
• Access control based on what you have
• Access control based on where you are
• Access control based on who you are

14

• Controlling incoming data flowing through
  networks and other media
• Commercially available virus protection products
• Firewall software that inspects each incoming
  data packet, and decides whether it is acceptable
  based on its IP address

15
Figure 13.7
16
Making the Data Meaningless to Unauthorized Users

• Public key encryption encryption method based
  on two related keys, a public key and a private
  (secret) key
• Also used to transmit the secret key used by the
  Data Encryption Standard (DES)
• Digital signatures use public key encryption to
  authenticate the sender of a message and the
  message content

17
Figure 13.8
18
Controlling Traditional Transaction Processing

• Data preparation and authorization
• Data validation
• Error correction
• Backup and recovery

19
Maintaining Security in Web-Based Transactions

• Public key infrastructure (PKI)
• Certification authority (CA) a company that
  issues digital certificates
• Computer-based records that identify the CA,
  identify the sender that is being verified,
  contain the senders public key, an is digitally
  signed by the CA

20
Transaction Privacy, Authentication, Integrity,
and Nonrepudiation

• Web transactions are encrypted using the Secure
  Socket Layer (SSL) protocol
• Encrypts the transmission using a temporary key
  generated automatically based on session
  information
• Transaction authentication the process of
  verifying the identity of the participants in a
  transaction

21

• Transaction integrity ensuring that information
  is not changed after the transaction is completed
• Nonrepudiation ensuring that neither party can
  deny that the transaction occurred

22
Difficulties With Security Methods for Web
Transactions

• Secure Electronic Transaction (SET) method
• Proposed by a consortium of credit card companies
• More secure than SSL
• Costly, and very slow adoption rate

23
Motivating Efficient and Effective Operation

• Monitoring information system usage
• Business process performance
• Information system performance
• Unusual activity
• Charging users to encourage efficiency
• Chargeback systems try to motivate efficient
  usage by assigning the cost of information
  systems to the user departments

24
Auditing the Information System

• Auditing ensures that financial operations are
  neither misrepresented nor threatened due to
  defective procedures or accounting systems
• Auditing around the computer vs. auditing
  through the computer

25
Preparing for Disasters

• Disaster plan a plan of action to recover from
  occurrences that shut down or harm major
  information systems

26
Major categories of security exposures within
IT/IS environment

• - Acts of God? Such as fire, floods, hurricanes
  and
• other natural catastrophes etc
• Mechanical failure as when the H/W, S/W corrupts
• data, disc/tape is damaged etc.
• Human carelessness data entry errors, accident
  during testing, mislaid/physical damage disc/tape
  Etc.

27
Major categories of security exposures within
IT/IS environment (Contd)

• Malicious damage such as sabotage, a malicious
  user or programmer etc.
• Crime embezzlement, industrial espionage,
  employees selling secrets etc.
• Invasion of privacy may be due to casual
  curiosity,
• malicious invasion of privacy, Obtaining data by
  a competing org. etc.

28
DISASTER CATEGORIES

• The fundamental hurdles to overcome when planning
  for
• disaster recovery is to realize that the
  seemingly large
• variety of possible disasters can actually be
  reduced to a
• manageable number.
• In point of fact, all disasters can be grouped
  into one or
• more of only THREE categories. These are
• - loss of information,
• - loss of access
• - loss of personnel.

29
Introduction to Risk Analysis

• There are a number of distinct approaches to risk
• analysis.
• However, these essentially break down into two
• types
• quantitative Risk Analysis
• Qualitative Risk Analysis

30
Quantitative Risk Analysis

• this approach employs two fundamental elements
• the probability of an event occurring and
• the likely loss should it occur.
• it also uses a single figure produced from these
  elements
• - This is called the 'Annual Loss Expectancy
  (ALE)' or the 'Estimated Annual Cost (EAC)'.
• This is calculated for an event by simply
  multiplying the potential loss by the
  probability.

31
Qualitative Risk Analysis (The relational model)
32
Qualitative Risk Analysis

• This is by far the most widely used approach to
  risk analysis. Probability data is not required
  and only estimated potential loss is used.
• Most qualitative risk analysis methodologies make
  use of a number of interrelated elements
• a) THREATS
• These are things that can go wrong or that can
  'attack' the system. Examples might include fire
  or fraud. Threats are ever present for every
  system.

33
Introducing Risk Analysis

• b) VULNERABILITIES
• These make a system more prone to attack by a
  threat or make an attack more likely to have some
  success or impact. For example, for fire a
  vulnerability would be the presence of
  inflammable materials (e.g. paper).
• c) CONTROLS
• These are the countermeasures for
  vulnerabilities. There are four types
• Deterrent controls reduce the likelihood of a
  deliberate attack

34
Introducing Risk Analysis (Contd..)

• CONTROLS (Continued from the previous page)
• Preventative controls protect vulnerabilities and
  make an attack unsuccessful or reduce its impact
• Corrective controls reduce the effect of an
  attack
• Detective controls discover attacks and trigger
  preventative or corrective controls

35
(The Information Security Process)
36
Information Security Architecture