Controlling the e-developments

Charles Mansour, CISA

ISACA Technical Presentation

16th November 2000

Introduction

• Me

• Been involved in auditing Computer Systems since 1983

• In Computer Audit in Woolwich plc (Retail Bank) since 1986

• Involved in systems developments more or less continuously

Audience Make Up

• All Auditors???

Summary of Session

• Look at why risk management in E-Business Development is important

• Analyse the E-Business risk ‘big picture’

• Examine some ways of containing risks

Signpost

• Should last for just about 40 Minutes

Questionsabout five minutes

Handouts

Businesses Fail Because they don’t manage risks!

Small companies face hacker threat Friday, October 13, 2000 E-Commerce Half of all small to medium-sized businesses that manage their own security will have been hit by an internet-based attack by 2003, industry analyst Gartner has warned.

SDMI Denies Hackers Trumped Security - Update Tuesday, October 17, 2000 E-Commerce The Secure Digital Music Initiative (SDMI) forum is denying that hackers successfully hacked into copyright-protected software, as part of a $10,000 challenge the company issued to anyone who thought themselves capable of compromising its technology.

ClickAction says FBI investigating marketing e-mail incident Friday, October 13, 2000 E-Commerce ClickAction Inc., which provides e-mail marketing, said it is working with the FBI to investigate a prank involving one of the company's ad campaigns for the Republican party. By Bloomberg Boston Herald ……. ClickAction shares fell 1/2 to 7 1/2.

Background to Security

• Who could be active in your system?– 30 years ago

• Technical staff and few users

– 25 years ago• Technicians and knowledgeable users

– 10 years ago• technicians, most users, some partner firms

– NOW• THE WORLD!

• and we’re inviting them in!Trust based SecurityTrust based Security

Rule Based SecurityRule Based Security

What’s What’s Security?Security?

Increasing Significance of E-Business Security

• E-Business is becoming more important– Will be critical to operations of most businesses – e-payment– b2b– b2c– Internet banking

• Delivery Channels are proliferating• Security is now a major factor when people

decide to do E-business

Why Bother with Security in E-Business Development

• It’s cheaper!

• It’s more likely to get done

• It has a better chance of being embedded in the offering, rather than being built around it

• generally provides a better quality solution

Who’s Responsible for E-Business Security

• E-Business Risk and Data / systems should be ‘owned ‘ by the Business– IT / Security have Stewardship Responsibility

• Main Players– Business– I T Management– Security Function– Customers / Suppliers

What are the Risks?

• Fraud

• Unauthorised access

• Interception

• Alteration

• Spoofing

• Repudiation

• Attacks

• Legal / Regulatory Sanction

What’s at Risk?

• Assets– Host Systems– Core Data / Information– Resources e.g. WEB pages– Funds– Reputation

Who’s it at Risk From?

• Hackers– casual– determined attack

• Customers Systems– do we know their systems are secure?

• Own People– technicians– users– business and developers (unwittingly!)

Where’s is it at Risk

• Corporate culture

• Perimeter / interface with outside world

• Core systems, programmes and files

• Network environment

• Telecomms environment

• In the development process itself

How is it at Risk?

• Hack– casual / mischievous– determined– damage– DDOS (Distributed Denial of Service)

• Data Interception / Alteration• Lack of resilience / performance• Unauthorised Access• Poor performance Attack

How is it at Risk?

• Re-direction (spoofing)

• Interception / Extraction

• Corruption

• Duplication

• Unauthorised Change

• Implementation of incomplete systems

How is it at Risk in Development Lifecycle -SDLC?

• Business want it NOW!!!• Security is an afterthought • Risks not assessed / accepted, or ignored• Lack of Development Disciplines / Structure• Inadequate testing (especially security)• Business ‘frozen out’ - IT take over• The ‘pilot implementation’. Re-Work (not

enhancement!) after implementation• partial development - needs holistic view

What can we do About it in the SDLC?

• Beginning– Commitment to Security

• Business need to see E-Business security as an enabler, and a fact of life in E-Business

– Adopt Standards (the ‘Road Map’)• BS7799• CoBIT

– Risk Analysis• what’s at risk / where / how much

– Development Disciplines / Strong Project Management

What can we do About it in the SDLC?

• Middle– QA / Independent (Expert) Review– Security Acceptance Criteria for implementation– Test security - Testing environment HAS to look

like the real world - fight for the resource!– holistic testing approach

• all points of vulnerability

• customer systems / connections

• all connected systems

What can we do About it in the SDLC?

• End– Pen Test

• Before / after implementation

• Will determine weak points

• Costs money

• Should be no surprises, but…..

– Security should be major factor when Business accepts system for implementation

What can we do Following Implementation

• Regularly review risk profile – Things are constantly changing

• Keep abreast of security exposures– LISTSERVE@LISTSERVE.SECURITYPORTAL.COM

• Ensure that all patches and Service packs are taken and applied

• Unannounced penetration tests

Network Controls

• Encryption

• Firewalls

• Honeypots

• Packet sniffer (SNORT)

• Monitoring / Reporting software

• Test, test, test

• Pen Test

People Controls• External

– PKI• non-repudiation

– Passwords– Firewalls, access gateways

• prevent access

• Internal– Security Policy / Logical Security

– Management Control – Development Disciplines

Data Controls

• Encryption

• Packet switching

• Change Control

• File Control Totals

• File / Directory Security

Reprise

• We’ve looked at– What e-business risks are– What’s at risk– Who /What it’s at risk from– Where it’s it risk– How it’s at risk– What we can do about it– What to do after implementation to maintain

security

Sources of Information

• Site Security Handbook– http://www.landfield.com/rfcs/rfc2196.html

• SANS Institute– http://www.sans.org

• ISACA– http://www.isaca.org

• listserve@listserve.securityportal.com

Conclusions• Effective Security is fundamental to the

conduct of E-Business

• e-business is changing security from rule based to trust based

• lots of technology, but business still needs to keep control of security

• Need to know and manage all risks

• there is a lot of help out there

Feedback

• How was it for you?????

Thank you!Thank you!