Internet Security for Small & Medium Business
E-security
�Why do I need e-security?
www.noie.gov.au/publications/NOIE/trust/Chap1/index.htm
The potential of the Internet
Email and World Wide Web 500 million people being connected to the
Internet The benefit of doing business over the Internet
Increased potential costumer base, Reduced paperwork and administration, Reduced time to receive orders, supply goods and
make and receive payments, and Access to great range of supplies
�E-Security: Security in Cyberspace
WHY INTERNET IS DIFFERENT?
Paper-Based Commerce Signed paper Documents Person-to-person Physical Payment System Merchant-customer Face-to-face Easy Detectability of modification Easy Negotiability
3
Electronic Commerce Digital Signature Electronic via Website Electronic Payment System Face-to-face Absence Difficult Detectability Special Security Protocol
�Security Design Process
�Network Traffic
�You may consider E-banking E-shopping E-tailing Sending and receiving orders to and from partners Loading your tax return or business activity statements or conducting other transactions with government agencies.
�Why security is an issue on the Internet?
The Internet carrying risk By FBI last year, more than 1 million credit
card numbers stolen via the Internet Information transmitted over Internet can be intercepted at any point
Overview of security needed
Businesses need to consider The basic applications such as email How to go about buying and selling online How to protect computer system and The legal issues surrounding e-business.
�E-security technologies
Four basic security principles
Authenticity Security Non-repudiation Privacy or confidentiality
�IV. A Four Pillar Approach
�Pillar 1 Legal framework, Incentives, Liability
No one owns the internet so how can self-
regulation work? Basic laws in the e-security area vary a lot across countries as do penalties Defining a money transmitter How to define a proper service level agreement (SLA) Downstream liability Issues in certification and standard setting
�Pillar 2 Supervision and External Monitoring
Technology Supervision and Operational
Risk:
Retail Payment Networks;Commercial Banks;
E-Security Vendors Capital Standards and E-Risk On-Site IT examinations Off-site processes Coordination: between regulatory agencies; between supervisors and law enforcement
Cyber-Risk Insurance Education and Prevention
�Pillar 3 Certification, Standards, Policies and Processes
Certification
Software and hardware Security vendors E-transactions
Policies Standards Procedures
�Pillar 4 Layered Electronic Security
12 Core Layers of proper e-security Part of proper operational risk management General axioms in layering e-security
Attacks and losses are inevitable Security buys time The network is only as secure as its weakest link
�GSM Vulnerabilities
SIM-CARD
Vulnerability SMS Bombs Gateway Vulnerability WAP Vulnerability Man in the Middle Attack
��Authentication technologies
Authentication technoligies rely on Something you know Something you possess Something you are a unique physical quality Password systems for authenticating identities
and communications:
Secure sockets layer (SSL) technologies Public key infrastructure (PKI) Virtual private network (VPN) Secure managed services
�The pyramid of Authentication
Technologies.
High level of security offered.
PKI Plus Biometrics Digital Signature Certificate - PKI
For highly valued information
Digital Signature Certificate - PGP
Passwords + SSL Password / Tokens
Lower level of security offered. For less valuable information
�How to send email securely?
Email network
Web-based Email server
Intranet Email server
Mail Server
Mail Server
Mail Server
Email Users
�Secure Web email
Web-based email service is a sensible choice
Dedicated email encryption
Use public key and PGP
Secure email gateways Secure email versus postal mail
Secure envelope Inside being signed and authenticated
�How to conduct secure transaction online?
SSL and e-commerce SSL limitation
Data transmitted using SSL SSL offering strong authentication A secure envelope A guarantee to your destination Signature on envelope
�How to deal with other e-security threats?
Viruses Hacking Denials of services Dumping Port scanning and sniffing Method of protection - firewall
�Securing your own PC
file sharing browser security
The importance of the real world security
ensure your workplace IT equipment is stored
in a secure and lockable location Keeping up-to-data logs of all equipment.
�Privacy - important issue for e-security
The privacy act and e-security Website privacy policies Cookies and Web bugs Monitoring stuff online
�Laws applying to e-business
Electronic Transaction Act 1999 (ETA)
giving information in writing providing a signature producing a document in material form and recording or retaining information
�Thanks!
CBRC
