e security project

8/2/2019 e Security Project

1/25

E-security

Internet Security for

Small & Medium Business


2/25

Why do I need e-security?www.noie.gov.au/publications/NOIE/trust/Chap1/index.htm

The potential of the InternetEmail and World Wide Web500 million people being connected to the

InternetThe benefit of doing business over the

InternetIncreased potential costumer base,Reduced paperwork and administration,

Reduced time to receive orders, supply goods andmake and receive payments, andAccess to great range of supplies


3/25

WHY INTERNET IS DIFFERENT?

3

E-Security: Security in Cyberspace

Paper-Based Commerce Electronic Commerce

Signed paper Documents Digital Signature

Person-to-person Electronic via Website

Physical Payment System Electronic Payment System

Merchant-customer Face-to-face Face-to-face Absence

Easy Detectability of modification Difficult Detectability

Easy Negotiability Special Security Protocol


4/25

Security Design Process

4


5/25

Network Traffic

5


6/25

You may considerE-bankingE-shoppingE-tailingSending and receiving orders to and

from partnersLoading your tax return or business

activity statements or conductingother transactions with government

agencies.


7/25

Why security is an issue on the Internet?The Internet carrying risk

By FBI last year, more than 1 million creditcard numbers stolen via the InternetInformation transmitted over Internet can be

intercepted at any point

Overview of security neededBusinesses need to considerThe basic applications such as emailHow to go about buying and selling onlineHow to protect computer system and

The legal issues surrounding e-business.


8/25

E-security technologiesFour basic security principlesAuthenticitySecurityNon-repudiation

Privacy or confidentiality


9/25

IV. A Four Pillar Approach


10/25

arLegal framework, Incentives,

Liability

No one owns the internet so how can self-regulation work?

Basic laws in the e-security area vary a lotacross countries as do penalties

Defining a money transmitterHow to define a proper service level

agreement (SLA)Downstream liability

Issues in certification and standard setting


11/25

arSupervision and External

Monitoring

Technology Supervision and OperationalRisk:Retail Payment Networks;Commercial Banks;

E-Security VendorsCapital Standards and E-RiskOn-Site IT examinationsOff-site processesCoordination: between regulatory agencies;

between supervisors and law enforcement

Cyber-Risk Insurance

Education and Prevention


12/25

Pillar 3Certification, Standards, Policies

and Processes

CertificationSoftware and hardware

Security vendorsE-transactions

Policies

Standards

Procedures


13/25

Pillar 4Layered Electronic Security

12 Core Layers of proper e-security

Part of proper operational risk management

General axioms in layering e-securityAttacks and losses are inevitableSecurity buys timeThe network is only as secure as its weakest link


14/25

GSM Vulnerabilities

SIM-CARDVulnerability

SMS Bombs

GatewayVulnerability

WAP Vulnerability

Man in the Middle

Attack


15/25


16/25

Authentication technologiesAuthentication technoligies rely on

Something you knowSomething you possess

Something you are a unique physical quality

Password systems for authenticating identities

and communications:Secure sockets layer (SSL) technologies

Public key infrastructure (PKI)

Virtual private network (VPN)

Secure managed services


17/25

The pyramid of AuthenticationTechnologies.

PKI Plus

Biometrics

Digital Signature

Certificate - PKI

Digital Signature

Certificate - PGP

Passwords + SSL

Password / Tokens

High level of

security offered.

For highly valued

information

Lower level ofsecurity offered.

For less valuable

information


18/25

How to send email securely?

Email network

Web-basedEmail server

IntranetEmail server

MailServer

MailServer

MailServer

Email Users


19/25

Secure Web emailWeb-based email service is a sensible choice

Dedicated email encryptionUse public key and PGP

Secure email gateways

Secure email versus postal mailSecure envelope

Inside being signed and authenticated


20/25

How to conduct securetransaction online?

SSL and e-commerceSSL limitationData transmitted using SSLSSL offering strong authenticationA secure envelopeA guarantee to your destinationSignature on envelope


21/25

How to deal with other e-securitythreats?

Viruses

HackingDenials of services

Dumping

Port scanning and sniffing

Method of protection - firewall


22/25

Securing your own PCfile sharing

browser securityThe importance of the real world securityensure your workplace IT equipment is stored

in a secure and lockable location

Keeping up-to-data logs of all equipment.


23/25

Privacy - important issue fore-security

The privacy act and e-securityWebsite privacy policies

Cookies and Web bugs

Monitoring stuff online


24/25

Laws applying to e-business

Electronic Transaction Act 1999 (ETA)giving information in writingproviding a signatureproducing a document in material form and

recording or retaining information


25/25

Thanks!

CBRC