Controlling the e-developments Charles Mansour, CISA ISACA Technical Presentation 16th November...
Transcript of Controlling the e-developments Charles Mansour, CISA ISACA Technical Presentation 16th November...
Controlling the e-developments
Charles Mansour, CISA
ISACA Technical Presentation
16th November 2000
Introduction
• Me
• Been involved in auditing Computer Systems since 1983
• In Computer Audit in Woolwich plc (Retail Bank) since 1986
• Involved in systems developments more or less continuously
Audience Make Up
• All Auditors???
Summary of Session
• Look at why risk management in E-Business Development is important
• Analyse the E-Business risk ‘big picture’
• Examine some ways of containing risks
Signpost
• Should last for just about 40 Minutes
Questionsabout five minutes
Handouts
Businesses Fail Because they don’t manage risks!
Small companies face hacker threat Friday, October 13, 2000 E-Commerce Half of all small to medium-sized businesses that manage their own security will have been hit by an internet-based attack by 2003, industry analyst Gartner has warned.
SDMI Denies Hackers Trumped Security - Update Tuesday, October 17, 2000 E-Commerce The Secure Digital Music Initiative (SDMI) forum is denying that hackers successfully hacked into copyright-protected software, as part of a $10,000 challenge the company issued to anyone who thought themselves capable of compromising its technology.
ClickAction says FBI investigating marketing e-mail incident Friday, October 13, 2000 E-Commerce ClickAction Inc., which provides e-mail marketing, said it is working with the FBI to investigate a prank involving one of the company's ad campaigns for the Republican party. By Bloomberg Boston Herald ……. ClickAction shares fell 1/2 to 7 1/2.
Background to Security
• Who could be active in your system?– 30 years ago
• Technical staff and few users
– 25 years ago• Technicians and knowledgeable users
– 10 years ago• technicians, most users, some partner firms
– NOW• THE WORLD!
• and we’re inviting them in!Trust based SecurityTrust based Security
Rule Based SecurityRule Based Security
What’s What’s Security?Security?
Increasing Significance of E-Business Security
• E-Business is becoming more important– Will be critical to operations of most businesses – e-payment– b2b– b2c– Internet banking
• Delivery Channels are proliferating• Security is now a major factor when people
decide to do E-business
Why Bother with Security in E-Business Development
• It’s cheaper!
• It’s more likely to get done
• It has a better chance of being embedded in the offering, rather than being built around it
• generally provides a better quality solution
Who’s Responsible for E-Business Security
• E-Business Risk and Data / systems should be ‘owned ‘ by the Business– IT / Security have Stewardship Responsibility
• Main Players– Business– I T Management– Security Function– Customers / Suppliers
What are the Risks?
• Fraud
• Unauthorised access
• Interception
• Alteration
• Spoofing
• Repudiation
• Attacks
• Legal / Regulatory Sanction
What’s at Risk?
• Assets– Host Systems– Core Data / Information– Resources e.g. WEB pages– Funds– Reputation
Who’s it at Risk From?
• Hackers– casual– determined attack
• Customers Systems– do we know their systems are secure?
• Own People– technicians– users– business and developers (unwittingly!)
Where’s is it at Risk
• Corporate culture
• Perimeter / interface with outside world
• Core systems, programmes and files
• Network environment
• Telecomms environment
• In the development process itself
How is it at Risk?
• Hack– casual / mischievous– determined– damage– DDOS (Distributed Denial of Service)
• Data Interception / Alteration• Lack of resilience / performance• Unauthorised Access• Poor performance Attack
How is it at Risk?
• Re-direction (spoofing)
• Interception / Extraction
• Corruption
• Duplication
• Unauthorised Change
• Implementation of incomplete systems
How is it at Risk in Development Lifecycle -SDLC?
• Business want it NOW!!!• Security is an afterthought • Risks not assessed / accepted, or ignored• Lack of Development Disciplines / Structure• Inadequate testing (especially security)• Business ‘frozen out’ - IT take over• The ‘pilot implementation’. Re-Work (not
enhancement!) after implementation• partial development - needs holistic view
What can we do About it in the SDLC?
• Beginning– Commitment to Security
• Business need to see E-Business security as an enabler, and a fact of life in E-Business
– Adopt Standards (the ‘Road Map’)• BS7799• CoBIT
– Risk Analysis• what’s at risk / where / how much
– Development Disciplines / Strong Project Management
What can we do About it in the SDLC?
• Middle– QA / Independent (Expert) Review– Security Acceptance Criteria for implementation– Test security - Testing environment HAS to look
like the real world - fight for the resource!– holistic testing approach
• all points of vulnerability
• customer systems / connections
• all connected systems
What can we do About it in the SDLC?
• End– Pen Test
• Before / after implementation
• Will determine weak points
• Costs money
• Should be no surprises, but…..
– Security should be major factor when Business accepts system for implementation
What can we do Following Implementation
• Regularly review risk profile – Things are constantly changing
• Keep abreast of security exposures– [email protected]
• Ensure that all patches and Service packs are taken and applied
• Unannounced penetration tests
Network Controls
• Encryption
• Firewalls
• Honeypots
• Packet sniffer (SNORT)
• Monitoring / Reporting software
• Test, test, test
• Pen Test
People Controls• External
– PKI• non-repudiation
– Passwords– Firewalls, access gateways
• prevent access
• Internal– Security Policy / Logical Security
– Management Control – Development Disciplines
Data Controls
• Encryption
• Packet switching
• Change Control
• File Control Totals
• File / Directory Security
Reprise
• We’ve looked at– What e-business risks are– What’s at risk– Who /What it’s at risk from– Where it’s it risk– How it’s at risk– What we can do about it– What to do after implementation to maintain
security
Sources of Information
• Site Security Handbook– http://www.landfield.com/rfcs/rfc2196.html
• SANS Institute– http://www.sans.org
• ISACA– http://www.isaca.org
Conclusions• Effective Security is fundamental to the
conduct of E-Business
• e-business is changing security from rule based to trust based
• lots of technology, but business still needs to keep control of security
• Need to know and manage all risks
• there is a lot of help out there
Feedback
• How was it for you?????
Thank you!Thank you!