the webtrust initiative providing assurance on the world wide web [email protected]
TRANSCRIPT
A Little eCommerce History
1962 - Internet conceived
1969 - 4 US College campuses are linked creating ARPANET
1971 - ARPANET grows to 23 hosts
1972 - InterNetwork (INWG)Group is born
1979 - USENET groups 1st appear
1982 - Term Internet appears
1-3
How Big is This Internet?
Difficult to predict with any certainty
Huge growth in past two years > July 13 Web now composes over 2.1 billion pages
Internet now estimated > 348m people (148m in US and Canada)
By 2006 estimated > 720m people
Projected to grow - Projections vary
The total value of goods and services traded between companies over the Internet will reach $8 billion this year and $327 billion in the year 2002. The rapid growth of intercompany commerce will cause businesses to adopt dynamic trading processes.
Forrester July 1997
1997 Market Estimates
How Big is This Market?
Still in infancy, with growing pains
One US projection: $70b (99’) – 161 billion this year, 303 billion 2001 to $851b (2003)
Worldwide projection: $76b to $1.442 in 2003
Let’s Compare B2C Christmas
1999 - $10.5 billion
2000 – estimate $19.5 billion
Last year - 78% of internet users used the internet in some capacity -33% bought online and 45% gathered information online Shoppers - 42% female 1999
– now 63%
In the words of “Buzz Lightyear”
To Infinity and Beyond !!!
The eCommerce Transaction Processing Cycle
UserAuthentication
Commerce Server
Firewall
Demilitarized Zone
To transaction processing
To payment processing
2-1
Processing Cycle - Transaction Processing
Transaction Server
Application ServerFirewall
Business database
Other processes
2-1
Processing Cycle - Payment Processing
Gateway
Firewall
Firewall Acquiring Bank
2-1
What are the Concerns?
Client and Public ( B2C) Privacy concerns Security of sites Timely delivery of product Reliable sites – impersonations
B2B As above + confidentiality and non-repudiation
Recent News About Privacy
Sept 18 – More.com sued for releasing private info
Sept 3 – Amazon changes Privacy Policy
Sept 14 – Two leading online privacy groups drop out of Amazon’s affiliate program
August 18 – Judge blocks Toysmart from selling personal information
Aug 17 – Love letter virus variant steals banking info from Swiss bank accounts
Issue Of Security
Recent Headline
Denial of Service Attacks Disrupt Internet
eBay down! Charles Schwab down! Amazon.com down! CNN.com down! Entire network effected
>>>>>On Monday and Tuesday, February 7 and 8, 2000, a large number of major sites across the US were assaulted by ``Denial of Service'' (DoS) attacks.
Internet Threats (Examples)
Spoofing
Packet sniffing
Exploiting vulnerabilities (i.e. firewall / operating system)
Password Cracking / Guessing
Denial of Service
Buffer Overflow
Web Spoofing
The attacker’s Web server sits between the victim and the rest of the Web, a “man in the middle attack”.
The attack is facilitated by rewriting to all of the URLs on a baiting Web page so that they point to the attacker’s server rather than to some real server.
For example, http://home.netscape.com becomes
http://www.attacker.org/http://home.netscape.com.
Once captured, the attacker ‘spoofs’ the user by retrieving the ‘real page’ and re-writing before forwarding to the user.
Web Spoofing Illustrated
Victim’sBrowser
IB M C om patib le
www.attacker.com1. Request spoof URL
5. Spoofed page contents
www.server.com
2. Request real URL
IB M C om patib le
3. Real pagecontents
4. Reveal access codes or changepage contents
Password Cracking / Guessing
Software based Dictionary checking (extremely fast)Social EngineeringBrute Force (maybe some intelligence)Objective to find the “keys to the kingdom”(i.e. Administrator / Root / Supervisor)
Buffer Overflow
Occurs when more data placed into a computer space than was provided for.
Example: Placing 800 “a”s into a space defined to hold 30.
Result: Unexpected program response: shut down service display source code execute attacker code (to gain superuser rights to O/S)
Special Committee (“Elliott”) Assurance service recommendations On-going process for new services
Assurance Services Executive Committee
Dual focus Build the practice for the profession Promulgate user-oriented measurement criteria
Joint AICPA / CICA Team Efforts
3-4
Background To WebTrust
Improved business disclosure and practices
Better transaction processing and security
Enhanced trust and confidence on “the net”
Greater competition, greater array of choices for the customer
Helps “level the playing field”
Benefits of WebTrust family
Independent verification can allay the majority of these fears as does financial statement audit Public accounting is quality controlled the world
over Also serves as valuable eCommerce consulting tool
in understanding best practices Follows standardized process from Web site to Web
site giving comfort to oversight authorities
Independent Verification
The WebTrust “Process”
Management makes representations about eCommerce practices and disclosures
CA collects evidence to support management’s assertions
CA examines representations
CA issues seal
3-4
History Of WebTrust
Conceived December 1996
December 1997 – Version 1.0
June 1998 – Version 1.1
November 1999- Version 2.0
Fall 2000 – Version 3.0 introduction
Also WebTrust for Certification Authorities (next week) and ISPs
WebTrust nowWebTrust nowStill the only comprehensive seal of assurance, but now the pitch is eCommerce business solutionFocus on all aspects of eCommerce & flexible to specific needs of eCommerce entity (Ver 3.0)Based on WebTrust Principles and Criteria Accountant licensed by Institute after training Accountant’s report posted on new secure serverSite is re-evaluated every 180 days versus 90 daysEach firm and each engagement still subject to independent QC reviews
e-Commerce Assurance – WebTrust Version 3
Will allow reports on 1 or multiple principles Privacy
Availability
Confidentiality
Security
Transaction Integrity
Non-repudiation
Security - The enterprise discloses key security policies, complies with such security policies, and maintains effective controls to provide reasonable assurance that access to the electronic commerce system and data is restricted only to authorized individuals in conformity with its disclosed security policies.
Privacy - The enterprise discloses its privacy practices, complies with such privacy practices, and maintains effective controls to provide reasonable assurance that personally identifiable information obtained as a result of electronic commerce is protected in conformity with its disclosed privacy practices.
Transaction Integrity - The enterprise discloses its business practices for electronic commerce, executes transactions in conformity with such practices, and maintains effective controls to provide reasonable assurance that electronic commerce transactions are processed completely, accurately and in conformity with its disclosed business practices.
More Details
Confidentiality - The enterprise discloses its confidentiality practices, complies with such confidentiality practices and maintains effective controls to provide reasonable assurance that access to information obtained as a result of electronic commerce and designated as confidential is restricted to authorized individuals in conformity with its disclosed confidentiality practices.
Availability - The enterprise discloses its practices for availability, complies with such availability disclosures, and maintains effective controls to provide reasonable assurance that e-commerce systems and data are available as disclosed.
Non-repudiation - The enterprise discloses its practices for non-repudiation, complies with such practices, and maintains effective controls and appropriate records to provide reasonable assurance that the authentication and integrity of transactions and messages received electronically are provable to third parties in conformity with its disclosed non-repudiation practices.
More Details
Customized Disclosures – (Must be issued in conjunction with at least one other principle). The enterprise’s specified disclosures are consistent with professional standards for suitable criteria and relevant to its electronic commerce business. In addition, the enterprise maintains effective controls over the processes supporting such disclosures to provide reasonable assurance that such disclosures are reliable.
More Details
Status of Modules – March 5/01
Principle Current status
(1) Privacy Published
(2) Security Published
(3) Trans. Integrity Published
(4) Availability Published
(5) Non-repudiation in development
(6) Confidentiality Exposure soon
(7) Customized disc. in development
“Value Pack” Engagements
Customer protection – transaction integrity and privacy
Service providers not yet decided
Special seals
Must meet all to get seal
What’s Easier to Sell?
Privacy is a hot issueSecurity permeates – duplication with security moduleIf Version 2 – then transaction integrity and privacy – Consumer ProtectionAvailability – service providers, B2B extranetsConfidentiality/non-repudiation B2B extranets etcCustomized disclosure
Modules - Framework
Each Module to have a common framework
Framework consists of 4 topics under which criteria to be grouped:Policies (goals and objectives)Procedures and technology toolsMonitoring (performance measures)Disclosures
Consumer recourse to be considered for each module
Firm Name
WebTrust Seal WebTrust Seal
Web consumer would see the seal on a Web page
Would then click on it to access additional information
Display of firm name, logo is optional
““Click”Click” to see report and other to see report and other informationinformation
What User Sees by Clicking on the SealWhat User Sees by Clicking on the Seal
VeriSign certificate information
Accountant’s (XY&Z’s) report
Management’s assertions
Business practices disclosures
Link to AICPA/CICA WebTrust Principles & Criteria
Other relevant information
Let’s look at a few sites
HD Vest
Bell Canada
Charity.ca
E-Trade
American Red Cross
WebTrust Secure Server & Seal Design
Server -Outsource management to ISP ISP Responsibilities verify validity of seal post auditor’s report Principles and criteria managed list of valid sites
Client site contains WebTrust seal Disclosures
Seal Linked to secure server
Seal Design WebTrust is our brand more marketable optional addition of
firm name Independent
Verification Blinking “Click”
Second click of seal: modules tested, links to
standards, report, etc.
Firm Name
Providing WebTrust Services
Assurance Standards (Section 5025) Examination level
Independence
5-1
Providing WebTrust Services
Practicing across provincial, state and international boundariesClient & Engagement Acceptance Client acceptance
Nature of business, reputation, management Engagement acceptance
Control environment, nature of sites Are they likely to meet criteria?
Expertise Required Code of Professional Ethics Section 5025 Minimum Competencies
5-2
Providing WebTrust Services
Engagement Letters Dates
Period covered by accountant’s report Period between updates
Control on seal Requirements of WebTrust license
5-7
Scoping the Work
Business locations, Web hosting locations, ISPsProducts / services included & excludedComplexity - the exponential effectTime requirements - first examination Low-end simple sites, probably 2 or 4 weeks minimum High-end complex sites, probably 8 to 15 weeks Less for clients where we’ve performed work on E-Comm systems
(audit or consulting)
Time requirements - update examinations Changes, change management controls, etc
Estimation template
6-2
Skill Sets Needed
Professional Standards
Systems Concepts
Business & Transactions Initiation
Hardware
Software
Networks/Internet
Outside experts
6-5
Engagement Management
Documentation Working papers Engagement summaries
Management Representation Letter
Accountant’s Report
Dealing with Changes to the Web Site
Self Assessment Document
System of Quality Control
6-8
Implementation Planning
Skills & Competencies – TRM and AssuranceTargeting Your Clients – hot buttonsRelated Services – consulting, Sales Process- often many callsMarketing – new materials under developmentSeal Management & Administration – new processInternal Firm GuidanceSystem of Quality Control –
Key Sites
www.cica.ca
www.aicpa.org
www.truste.org