eSecurity AIIA / WITSA Policy Forum 9 March 2001 Eric Eric Keser Keser Principal Principal eSecurity eSecurity Solutions Solutions 1
18 May 2001
e-COMMERCE Security Exposures New Exposures: • Public, private, and not-so-private networks • Direct connections with business partners • Automated business processes • Fewer humans in the loop • New types of trust relationships = more exposure to threats to security and reliability 2 2
18 May 2001 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
eSecurity Solutions
e-COMMERCE Security Requirements To ensure availability of information & services To securely allow access to information & services To prevent loss of integrity of information & transaction To provide authenticity of all parties To provide confidentiality of information & transactions To provide non-repudiation to all parties To provide an audit log of significant events To provide fraud prevention and other mis-use controls 4 4
18 May 2001 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
eSecurity Solutions
e-COMMERCE Technology Solutions 100
Firewall (81%)
% % 80
• 70-80% mis-configured • Testing
60 84%
External In-House
40 20
72%
0
L
AL W E IR
F 5 5
18 May 2001 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
eSecurity Solutions
LL
e-COMMERCE Technology Solutions Other (81%) • Algorithms – MD5 – SHA – RSA – DES – X.509 – IDEA
100 % % 80
60 40 20 0
• Applications – PGP – PEM 7 7
t. T er L r A SS Ce SE th W O l RE a I F it g Di 18 May 2001
Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
eSecurity Solutions
LL
e-COMMERCE People Solutions • Security Organisational Structure • Roles and Responsibilities • Emergency Response Program • Security Awareness Program • Risk Management Program • Monitoring and Escalation Program
8 8
18 May 2001 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
eSecurity Solutions
PRIVACY
9 9
18 May 2001 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
eSecurity Solutions
PRIVACY Changes Privacy Amendment (Private Sector) Act 2000 is effective 22 December 2001. Imposes privacy obligations for most private sector organisations. Require compliance with National Privacy Principles (NPPs) or an approved privacy code. Collection
Use & Disclosure
Data Quality & Security
Access & Correctness
Anonymity
Openness
Onward Transfer
Unique Identifiers
10 10 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
PRIVACY International Exchange Restricts the international transfer of personal information by an Australian organisation. Recipient country must have in place law, binding scheme or contract which upholds privacy standards equivalent to the NPPs. Hong Kong, New Zealand and Taiwan have comprehensive privacy regimes in place.
11 11 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
PRIVACY International Exchange Other Asia Pac countries are in process of developing or have in place specific industry codes or guidelines. Canada and EU similarly have legislation in place. USA is still developing their self regulatory model.
12 12 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
PRIVACY System Issues Organisations must provide ‘‘opt opt outs outs’’ on all direct marketing material. • Systems are generally not capable of efficiently administering such a system – may need to provide two levels of filters eg one flag which records preference not to receive direct marketing but another flag which ensures general information eg bank statements will still be sent to customer.
13 13 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
PRIVACY System Issues Organisations also need to provide individuals with access to their information. • May be an administrative burden where information retained on disparate systems. Also issue where customer representatives are recording ‘notes’ on systems. Inadequate security measures on systems have not been implemented.
14 14 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
THE LAW
15 15 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
LAW Tyranny of Distance Modern communication lines and Information technology have opened a new area of data transfer, which in turn has developed a new form of criminal element. With the advent of the cyber criminal, law enforcement have been confronted with inadequate legislation, the requirement to implement new techniques, as well as dealing with cross jurisdictional issues 16 16 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
LAW Jurisdictional Issues Where was the crime committed? Who should investigate the Crime? Who will bear the cost of the Investigation? Who has the appropriate Legislation to pursue the criminal? 17 17 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
LAW Policing the Internet Each country has it’s own answer Most rely on traditional crime legislation to cover crime on the Internet Different approaches compound the difficulties of successful pursuit and prosecution Civil remedies can succeed where criminal prosecution is failing 18 18 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
THE LAW Which Law? Offences can now occur across the World, but an incident which equates to an offence in one country does not necessarily equal an offence in the other. A recent example of this is the ‘Love Bug’, an investigation was commenced in the USA (where the spread of a computer virus is recognised as an offence) which led to a suspect being tracked to the Philippines , many problems arose as the country where the suspect was located did not have laws which recognised the spread of a computer virus as an offence. 19 19 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
THE LAW Offence Vs Cost What was the monetary value of the occurrence Vs Cost of sending investigators to the suspects location Cost of interviewing witness’s at their location Cost of collating the evidence Cost of prosecution 20 20 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
THE LAW Where was it committed? The simple premise of “where the crime was committed” causes issues for Law Enforcement: • Does the Offender sitting in his bedroom commit the offence from his house? • Or is the offence committed on the server he has just hacked into? • Does the Law Enforcement investigators have the statute to investigate the offence on either side? • Can either area successfully prosecute for the offence? 21 21 Liability is limited by the Accountants’ Scheme under the Professional Standards Act 1994 (NSW)
18 May 2001 eSecurity Solutions
THE LAW Existing IT crime laws Computer Trespass ••