Date post: | 10-Apr-2018 |
Category: |
Documents |
Upload: | dhayalsweet2005 |
View: | 221 times |
Download: | 0 times |
of 27
8/8/2019 maloneySlides
1/27
Security and
International E-Commerce
November 2000
Jim Maloney
SecurityPortalThe focal point for security on the Net
8/8/2019 maloneySlides
2/27
Copyright2000 SecurityPortal, Inc. Allrightsreserved.2
Agenda
Securityande-commerce
Securitydefined
Generalsecuritythreatstoe-commerce
Internationalsecurityissues
Keyelementsofasecuritysolution
Recommendedsecurityapproach
Summary
8/8/2019 maloneySlides
3/27
Copyright2000 SecurityPortal, Inc. Allrightsreserved.3
Whyissecurityimportant forE-Commerce?
IncreasedBandwidth
ExpandedAccess
ASPDeliveryModel
Tech-Savvy
Culture
MobileSociety
Increased E-Business Opportunities
Increased Exposure, Threats, Vulnerabilities, Privacy Concerns
SophisticatedApplications
Customer-Centric Business
Models
UbiquitousInternet
8/8/2019 maloneySlides
4/27
Copyright2000 SecurityPortal, Inc. Allrightsreserved.4
Oldeconomyview ofsecurity
Inthe OldEconomycomputingsecuritywasoftenviewedasadiscretionaryelementofthe business
The focuswasonprotection ofinformationsystemsanddata
8/8/2019 maloneySlides
5/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.5
New economyview ofsecurity
Inthe New Economycomputingsecurityisviewedasastrategic
elementofthe business The focusisonenablingnew waysof
doingbusinessandvalue creation
And from aprotectionperspective,securityisnow protectingthe entirebusiness,not justitsinformationsystems
8/8/2019 maloneySlides
6/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.6
A workingdefinitionofsecurity
Confidentiality the protectionofprivate dataonhostsorintransit
Integrity- the system doesnotcorruptinformationorallow unauthorizedmaliciousoraccidentalchangestoinformation
Availability- the computersystemshardware andsoftware keepsworkingefficientlyandthe system
isable torecover quicklyandcompletelyifadisasteroccurs
Accountability- the abilitytodetermine whoisresponsible forthe resultofanaction
8/8/2019 maloneySlides
7/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.7
Generalsecuritythreatstoe-commerce
Web site defacement
Denialofservice Theftofcustomerdata
Theftofintellectualproperty
Sabotage ofdataornetworks Financial fraud
8/8/2019 maloneySlides
8/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.8
Resultingbusinessimpact
Lackofconsumerconfidence ifthere areanyrealorperceivedsecurityissues
Lossofprofitsdue tolastminute securityimplementations
Damage toimage andreputationifyouhave avisible securityincident
Bankruptcyifthe majorityofyourbusinesstransactionsoccuronline
Benefitstocompetitorsifyourlevelofsecurityisperceivedtobe inadequate
8/8/2019 maloneySlides
9/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.9
Internationalsecurityissues
Regulationsandpolicies
Educationandawareness Culturalnorms
Accessmodes
Localgovernmentstance oncybercrime
8/8/2019 maloneySlides
10/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.10
Regulationsandpolicies
Encryptionlawsvarygreatly from countrytocountry. Thiscanimpact boththe availabilityand
use ofthe appropriate technology. http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
Privacyandconsumerprotectionlawsalsovarygreatly from countrytocountry. These lawscontrol
how personaldatacanbe usedandshared. Canleadtosubstantial finesifviolationsoccur. http://www.gilc.org/privacy/survey
8/8/2019 maloneySlides
11/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.11
Educationandawareness While malicious, externalsecurityattacksgetmost
ofthe publicity,itisoftenemployee mistakesandoversightsthatcause securityissues
Securityawarenesseducation forallemployees,andspecifictraining foryourITteam,canbe anexcellentdefense forbothinternalandexternalincidents
A recentsurveyshowedthat86% ofShanghaisnetworkshadsecurityproductsinstalled, butlessthat2% ofthe networkprofessionalsactuallyknewhow toprotecttheirnetworks from intruders
8/8/2019 maloneySlides
12/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.12
Culturalnorms
Limitedworkhours forsupportandemergencyresponse services
Beingon-call
Multi-shiftoperations(24/7)
Historyofnotprotectingintellectualproperty
Electronicdocuments
Software
CDsandDVDs
8/8/2019 maloneySlides
13/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.13
Accessmodes
There isarapidincrease inthe numberofusersaccessingthe internetviawireless
devicessuchascellphones Inadditiontotheirsmallsize,portable
wirelessdeviceshave limitedprocessingpower,limitedmemoryandalimitedpowersupply
These characteristicsleadtoseveralsecuritychallenges
8/8/2019 maloneySlides
14/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.14
Accessmodes continued
Withverylimitedkeyboardsandscreens,cellphonesandhandheldswillrequire new
authenticationschemestoreplace usernamesandpasswords New schemes mayinclude screen-based
biometrics, embeddedcertificates,hardwaretokens, web cookiesandPINs
These devicesare viewedaslikelyplatformsforvirusesthatcanbe carried from networktonetwork withoutdetection
8/8/2019 maloneySlides
15/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.15
Accessmodes- continued
Datamovingthroughairisvulnerable tointerceptionusingrelativelyinexpensive
equipment The portabilityofthese devicesincreases
the need forphysicalsecurityandauthentication
8/8/2019 maloneySlides
16/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.16
Localgovernmentstance oncybercrime
Singapore Verydetailedstatutesregardingpenaltiesforcriminalhacking
Brazil Nospeciallawsagainstcybercrime(andaveryactive hackingcommunity)
The Philippineshadnoanti-hackinglawsuntilthe Lovebugviruswastracedbackto
theircountry Interpolisworkingtoestablishinternational
standardsforcybercrime legislation http://www.mossbyrett.of.no/info/legal.html
8/8/2019 maloneySlides
17/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.17
Asia/Pacificperspective
Factorsacceleratingadoptionofsecurity
Growthof e-commerce inthisregion
Governmentinitiativessupportingsecurity
Recognitionofthe need forsecurityguidelines,regulationsandproductsthatenable interoperability
8/8/2019 maloneySlides
18/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.18
Asia/Pacificperspective - continued
Factorsinhibitingthe adoptionofsecurity
Lackofintegratedsecuritysolutionsthatcanspansystemsandregions
Lackofawarenessofsecurityissuesand
solutions
8/8/2019 maloneySlides
19/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.19
Securityismore thantechnology
Process
Technology
MonitorRespond
Anticipate
Defend
People
8/8/2019 maloneySlides
20/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.20
Securityisanattribute,notacomponent
System
Management
and Security
Network & Networking Services
Hardware & Operating System
App App App App
User Interface
Application
Development
Environment Information Management
Distribution Services
8/8/2019 maloneySlides
21/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.21
Generalsecurityapproach
Developaccurate andcomplete policiesthatspanthe supplychain
Make sure thatallemployeesunderstandthe importance ofcomputingsecurity
Define clearrolesandresponsibilitiesfore-commerce security
Perform regularaudits,reviewsandassessmentsofsecurity
Dontignore the physicalsecurityofyoursystems
8/8/2019 maloneySlides
22/27
8/8/2019 maloneySlides
23/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.23
Secure web site developmenttips Include securityaspartofrequirementsgathering
Include securityaspartofthe architecture
Be carefulwithembeddedcomponents Nevertrustincomingdata
Provide helptousers
Use code reviews
Be aware ofprivacyandencryptionlaws
Stayup-to-date onnew risks,threatandvulnerabilities
Documentyoursecuritysolution
8/8/2019 maloneySlides
24/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.24
Secure web site developmentreferences
RecentarticlesonSecurityPortal:BestPracticesforSecure Web Development
(partsIandII) Web Security& Commerce (O'Reilly
Nutshell) bySimsonGarfinkel,GeneSpafford
Web Security: A Step-by-StepReferenceGuide byLincolnD. Stein
8/8/2019 maloneySlides
25/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.25
Summary
Securityisacriticalenabler fore-commerce
The negative impactofpoorsecuritycanbe
substantial Manyofthe issuesandsolutionsregarding
secure internationale-commerce are peopleandprocessrelated,nottechnical
Securityisakeyattribute ofasystem thatmustbe designedin,notaddedonlater
Maintainingasecure web site requirescontinuousvigilance
8/8/2019 maloneySlides
26/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.26
Bibliography E-BusinessSecurity: AnEssentialElementinthe Post-Year
2000 World. GartnerGroupResearchReport, April17, 2000.
The NetPresentValue ofSecurity. AtomicTangerine Special
Report, October11, 2000. InternationalEcommerce. SecurityPortalcoverstory,
November5, 2000.
InformationSecurity:The E-Commerce Driver. DataquestMarketAnalysis, January10, 2000.
E-BusinessImpactonSecurityTechnologyandPractices.GartnerGroupResearchNote, November11, 1999.
SecurityServicesinthe ConnectedAge:From the basementtothe boardroom. GartnerGroupMarketAnalysis, July4,2000.
8/8/2019 maloneySlides
27/27
Copyright2000 SecurityPortal,Inc. Allrightsreserved.27
Bibliography- Continued ShanghaitoEnhance InformationSecurity.
http://www.nikkeibp.asiabiztech.com,February15, 2000.
WirelessSecurity:LockingDownthe Wavelengths.
InformationSecurityMagazine, October2000. DoHandheldsNeedVirusProtection? PCWorld.com, June 29,
2000.
BestPractices forSecure Web Development.http://securityportal.com/cover/coverstory20001030.html,October30,2000.
BestPractices forSecure Web Development:TechnicalDetails.http://securityportal.com/articles/webdev20001103.html,November10,2000.