Internet Security for Small & Medium Business

E-security

Why do I need e-security?

www.noie.gov.au/publications/NOIE/trust/Chap1/index.htm

The potential of the Internet

Email and World Wide Web 500 million people being connected to the

Internet The benefit of doing business over the Internet

Increased potential costumer base, Reduced paperwork and administration, Reduced time to receive orders, supply goods and

make and receive payments, and Access to great range of supplies

E-Security: Security in Cyberspace

WHY INTERNET IS DIFFERENT?

Paper-Based Commerce Signed paper Documents Person-to-person Physical Payment System Merchant-customer Face-to-face Easy Detectability of modification Easy Negotiability
3

Electronic Commerce Digital Signature Electronic via Website Electronic Payment System Face-to-face Absence Difficult Detectability Special Security Protocol

Security Design Process

Network Traffic

You may consider E-banking E-shopping E-tailing Sending and receiving orders to and from partners Loading your tax return or business activity statements or conducting other transactions with government agencies.

Why security is an issue on the Internet?

The Internet carrying risk By FBI last year, more than 1 million credit

card numbers stolen via the Internet Information transmitted over Internet can be intercepted at any point
Overview of security needed
Businesses need to consider The basic applications such as email How to go about buying and selling online How to protect computer system and The legal issues surrounding e-business.

E-security technologies
Four basic security principles
Authenticity Security Non-repudiation Privacy or confidentiality

IV. A Four Pillar Approach

Pillar 1 Legal framework, Incentives, Liability

No one owns the internet so how can self-

regulation work? Basic laws in the e-security area vary a lot across countries as do penalties Defining a money transmitter How to define a proper service level agreement (SLA) Downstream liability Issues in certification and standard setting

Pillar 2 Supervision and External Monitoring

Technology Supervision and Operational

Risk:
Retail Payment Networks;Commercial Banks;

E-Security Vendors Capital Standards and E-Risk On-Site IT examinations Off-site processes Coordination: between regulatory agencies; between supervisors and law enforcement
Cyber-Risk Insurance Education and Prevention

Pillar 3 Certification, Standards, Policies and Processes

Certification
Software and hardware Security vendors E-transactions

Policies Standards Procedures

Pillar 4 Layered Electronic Security

12 Core Layers of proper e-security Part of proper operational risk management General axioms in layering e-security
Attacks and losses are inevitable Security buys time The network is only as secure as its weakest link

GSM Vulnerabilities
SIM-CARD

Vulnerability SMS Bombs Gateway Vulnerability WAP Vulnerability Man in the Middle Attack

Authentication technologies
Authentication technoligies rely on Something you know Something you possess Something you are a unique physical quality Password systems for authenticating identities

and communications:
Secure sockets layer (SSL) technologies Public key infrastructure (PKI) Virtual private network (VPN) Secure managed services

The pyramid of Authentication

Technologies.
High level of security offered.
PKI Plus Biometrics Digital Signature Certificate - PKI

For highly valued information

Digital Signature Certificate - PGP

Passwords + SSL Password / Tokens

Lower level of security offered. For less valuable information

How to send email securely?

Email network

Web-based Email server

Intranet Email server

Mail Server

Mail Server

Mail Server

Email Users

Secure Web email

Web-based email service is a sensible choice

Dedicated email encryption

Use public key and PGP

Secure email gateways Secure email versus postal mail

Secure envelope Inside being signed and authenticated

How to conduct secure transaction online?

SSL and e-commerce SSL limitation
Data transmitted using SSL SSL offering strong authentication A secure envelope A guarantee to your destination Signature on envelope

How to deal with other e-security threats?

Viruses Hacking Denials of services Dumping Port scanning and sniffing Method of protection - firewall

Securing your own PC

file sharing browser security

The importance of the real world security

ensure your workplace IT equipment is stored

in a secure and lockable location Keeping up-to-data logs of all equipment.

Privacy - important issue for e-security

The privacy act and e-security Website privacy policies Cookies and Web bugs Monitoring stuff online

Laws applying to e-business

Electronic Transaction Act 1999 (ETA)
giving information in writing providing a signature producing a document in material form and recording or retaining information

Thanks!

CBRC