Information Management Security A Necessary Pre-requisite for ICT Deployment for National Development in Nigeria PRESENTED BY DN S. B. BAMIDELE, CISM, CGEIT, CSOXP, CCGP, CISA Work Experience: NIGERIA - NB plc and Lagos State Government USA - KPMG, EDS, HP and Control Solutions AT “eNigeria 2010” International Conference and Exhibition 18TH MAY, 2010 Information Management Security Organization of Presentation I. II. III. IV. The Critical Nature of Information Security Wrong Perspectives to Information Security Information Security Attacks and Hackers E-Payment Attack Scenarios (Examples of Security Challenges) V. Countermeasures (Organization, Personnel, Technology, Processes VI. Information Security Objectives VII. Way Forward & Recommendations VIII. Discussion & Conclusion Information Management Security The Critical Nature of Information Security INTRODUCTION Government and Enterprises have increasingly become dependent on IT to facilitate business operations in this era of global economy, cross-organization collaboration, online trade and E-payment adoption. The speed, accuracy, and integrity of information is critical to the business. It's the difference between having doubts about financial statements and being confident of their accuracy. Information Management Security is therefore critical to an entity’s ability not only to survive, but also to thrive and, more than ever, that businesses have “gone global” as a result of expanding e-commerce capabilities. Information Management Security The Critical Nature of Information Security CONCEPT OF E-COMMERCE - eNIGERIA As applications fuel businesses, and increasingly complex applications and their information are the lifeblood of today's fast paced e-commerce businesses. That means, the health and viability of an e-commerce business is heavily dependent on the strength and security of the ICT systems. And as such, Information Management Security is a Necessary Pre-requisite for ICT Deployment for National Development in Nigeria, especially for the success of our “ICT4D plan and Global E-Payment Adoption”. Therefore to achieve our national development program of Seven Point Agenda and vision 20-2020, ICT security must be accorded the necessary priority by all. Information Management Security The Critical Nature of Information Security DEFINITIONS “Information security provides the assurance for trust, confidentiality, integrity, availability of business transactions and information; and ensure critical confidential information is withheld from those who should not have access to it.” - ISACA All measures used to protect information assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use. – COBIT Information Management Security The Critical Nature of Information Security CARDHOLDER DATA SECURITY – E-PAYMENT The Payment Card Industry (PCI’s) developed Data Security Standard (DSS) enhances cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS security requirements apply to all system components that is included in or connected to the cardholder data environment: Network Server Applications Information Management Security Wrong Perspectives to Information Security SOME SOURCES OF EXPOSURE FOR EXECUTIVES Failure to mandate the right security culture. Failure to implement effective control framework. Inability to embed risk management into corporate strategy. Not being able to detect what the most critical & significant security weaknesses are and where they exist within the organization. Risk management investments not well monitored. Failure to measure performance of investments in information security initiatives and, know what residual security risks remains. Information Management Security Wrong Perspectives to Information Security SOME SOURCES OF EXPOSURE ORGANIZATION-WIDE That security is someone else’s responsibility. No collaborative effort to link the security program to business goals. Exact role of information security not clearly defined. Enterprises too often view information security in isolation. Some view it as solely a technical discipline. Businesses still struggle to keep up with regulatory requirements, economic conditions and risk management. Information Management Security Wrong Perspectives to Information Security SOME POPULAR FALLACIES If I never log off then my computer can never get a virus. I got this disc from my (IT department, manager, boss, mother, friend, spouse) so it must be okay. But I only downloaded one file. I am too smart to fall for a scam. My friend... who knows a lot about computers showed me this really cool site… My vendor will protect me. It is easy therefore for these compartmentalized approach to lead to weaknesses in security management, possibly resulting in serious exposure. Information Management Security Information Security Attacks POTENTIAL SECURITY ISSUES Denial of Service (DoS) Attacks Website Defacement or Modification Viruses and Worms Data Sniffing, Phishing, Spoofing, SMishing Malicious Code and Trojans Port-scanning and Probing Wireless Attacks Theft of Confidential Information System Sabotage Internal Staff Abusing Access Financial Fraud Through Deception Theft of Computer Equipment Information Management Security Information Security Attacks 120,000 Infection Attempts 900M 800M Blended Threats (CodeRed, Nimda, Slammer) 100,000 700M Denial of Service (Yahoo!, eBay) 600M 80,000 500M 300M Malicious Code Infection Network Attempts* Intrusion Attempts** Zombies 200M 100M 60,000 Mass Mailer Viruses (Love Letter/Melissa) 400M Polymorphic Viruses (Tequila) 20,000 0 0 1995 40,000 1996 1997 1998 1999 2000 2001 * Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; ** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404 2002 Network Intrusion Attempts World-Wide Cyber Attack Trends Information Management Security Information Security Attacks TYPES OF E-FRAUD Identity Theft Extortion (reputation) Salami Slice Funds Transfer Electronic Money Laundering Information Management Security Information Security Attacks IDENTITY THEFT FOR E-PAYMENT FRAUD Identity theft is when your personal information is stolen and used illegally, especially for E-payment. Keep financial data secret from unauthorized parties (privacy) CRYPTOGRAPHY Verify that messages have not been altered in transit (integrity) HASH FUNCTIONS Non-denial that a party engaged in a transaction (non- repudiation) DIGITAL SIGNATURES Verify identity of users (authentication) PASSWORDS, PIN NUMBERS, SEURITY KEYS, DIGITAL CERTIFICATES Information Management Security E-Payment Attack Scenarios Problem: ATM and Credit Card Frauds - a banking client case study Some of Our Findings: Identity theft by impersonation with fake email phishing, SMS SMishing and website spoofing. Phishing email examples; Your ABC bank account was temporarily suspended Protect your ABC bank account Update on your ABC bank account ABC bank identity theft solutions Identity theft by Packet sniffing to illegally capture packets of data like passwords, IP addresses, protocols, etc, to break into the network and databases. Identity theft through internal staff releasing customer information to friends and other collaborators. Hacking by breaking into computer network, databases and servers to retrieve information. Information Management Security E-Payment Attack Scenarios Problem: ATM and Credit Card Frauds - a banking client case study Security Solutions Offered: “Email Security Code”, with name, last 4 digit of card and last log-in date, in all emails to help customers verify that the email was sent by the bank. “Confirm your identity”, based on some factors, requires user to receive an “identification code” via voice, text or e-mail on file. User to enter code before a successful log-in to account. Secure Sockets Layer (SSL) encrypts, or scrambles, user Ids, passwords and account information en route and decode it at the other end. Information Management Security E-Payment Attack Scenarios Problem: ATM and Credit Card Frauds - a banking client case study Security Solutions Offered: Use of GRC authorization and Segregation of Duties tools to minimize abuse of user access to incompatible combination of sensitive customer account information. Implement appropriate logging controls to check user abuses. Use of a new account on the bank’s website payment processing link requires verification with a small deposit and a small withdrawal to be confirmed by the user. Protection with firewalls, specialized hardware & software to control all communications with the network. Information Management Security E-Payment Attack Scenarios Problem: ATM and Credit Card Frauds - a banking client case study Security Solutions Offered: Using Dynamic Security Key, which creates random temporary security codes on the go, in addition to pin and card at the ATM machine. It comes in 2 types: Token Security Key, a small car-remote sized device. Mobile phone security key for receiving security code as SMS on the go. Constant monitoring of the security tools to detect or proactively prevent security breaches. Result: Customers increased by 86% in three months as a consequence of increased trust in the bank’s security measures. Information Management Security E-Payment Attack Scenarios Problem: Revenue leakages – an Energy, Oil & Gas client case study Some of Our Findings: Financial Fraud Through Deception: Customers with overdue invoices were undetected and continue to owe more from new purchases. Unauthorized and Inappropriate Access to Systems: Processing and collection of bad debts by unauthorized personnel. Security Solutions Offered System controls to block sales orders until overdue invoices are resolved. System generated alert use for credit control management Followed by appropriate recovery measures (dunning). Result: Over $1.4m increase in revenue after two months. Information Management Security E-Payment Attack Scenarios Problem: Fictitious contracts & overpayments–a Public sector client case study Some of Our Findings Financial Fraud: Duplicate invoice numbers exist for a vendor/contractor, and/or duplicate order numbers exist for a contract. Goods receipt are below or exceed the quantity in the reference PO. Invoice amount do not match goods receipt and/or quantity listed on the reference PO. Unauthorized and Inappropriate Access to Systems: New or changed POs and contracts that contain invalid service exist. Information Management Security E-Payment Attack Scenarios Problem: Fictitious contracts & overpayments–a Public sector client case study Security Solutions Offered System controls to prevent processing of duplicate invoice numbers for same vendor/contractor. System controls to prevent processing of receiving quantities less or greater than listed in the reference PO. System controls to perform a 3-way matching of purchase orders, goods receipts, and invoices within a defined tolerance limit before posting to the GL. Use of GRC authorization and Segregation of Duties tools to minimize abuse of user access to incompatible combination of functions between requisition, purchasing, receiving, invoicing and processing vendors’ payments. Result: More than $2.5m savings in expenditure after 5 months. Information Management Security E-Payment Attack Scenarios Problem: Risks and security concerns with Cloud Computing Recommendations Reputation, history & sustainability are factors to be considered in choosing a provider. Business continuity and disaster recovery plans must be well documented and periodically tested. Options to minimize impact if provider’s service is interrupted. Agreed-upon service levels (SLA) with the provider. Define Backups and Recovery time objectives. Proper classification and labeling of data for ease of identification and to ensure data are not merged with competitors’. Transparency and a robust assurance approach of the cloud provider’s security and control environment. Information Management Security Countermeasures SUGGESTED SECURITY BEST PRACTICES Complete reliance on the strength of IT based access controls. Security policies, procedures and standards Application and data ownership Segregation of Duties Logical and physical security Super user privilege management Compliant User provisioning with access approval User based role management (unique access based on need to know) and security administration Virus protection Authentication with any combination of ID, password, pin, card, security code key on the go, biometric, etc Information Management Security Countermeasures INFORMATION MANAGEMENT SECURITY ROAD MAP Effective risk management requires a strong balance of; Organizational support Dedicated management People Staff members play a critical role in protecting the integrity, confidentiality, and availability of IT systems and networks Training, Awareness, Enforcement and Compensation Selection of appropriate technology. Firewalls Intrusion Detection Virus Protection Authentication and Authorization Encryption Data and Information Backup Information Management Security Countermeasures INFORMATION MANAGEMENT SECURITY ROAD MAP Effective & well controlled processes The PCI Security Standards Council’s required process to mitigate emerging e-payment security risks has help a lot: Build & Maintain a Secure Network Security goals – operating, financial and strategic objectives Risk factors impact analysis – internal and external Evaluate and improve on existing security practices Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Each interacts with, impacts and supports the other, often in complex ways, and if any one is deficient, information security is diminished. Information Management Security Information Security Objectives Identification Authorization Integrity Availability Reliability Authentication Authorization Access Control Data Integrity Confidentiality Non-repudiation Information Management Security Information Security Objectives BENEFITS OF SECURED E-PAYMENT ENVIRONMENT Privacy to fight or stop identity theft. Preventive measures to help stop ATM machine, online, e-payment, bank account, etc, frauds. Enhanced confidence in e-payment transactions. Alert to potential victims of online frauds. Strong measures that help protect online purchases. Secure online banking transactions. Information Management Security Way Forward GOVERNMENT’S ROLE Political Will In the US, Sarbanes-Oxley Act was passed by congress and signed into law by the President on 30 July 2002. It’s Section 404 requires senior management of public companies and their auditors to annually assess and report on the design and effectiveness of internal controls over financial reporting. Fundamentally changed business and regulatory environment. Enhances corporate governance through strong internal checks and reporting. Enforcement with high monetary & legal sanctions for non compliance Collaboration with States and other stakeholders Massive awareness campaign More work for NITDA and other relevant organs Information Management Security Way Forward EXECUTIVE MANAGEMENTS’ ROLE IT professionals, especially those in executive positions, need to be well versed in internal control frameworks and standards. Government Officials, CEOs, CIOs and other executives responsible for the implementation and management of Information security must comply and take on the challenges of: Enhancing their knowledge of security & internal controls. Understanding their organization’s overall Security needs Developing and implementing an effective information security & controls program. Integrating this plan into the overall IT & corporate strategies. Information Management Security Conclusion Most would agree that the reliability of financial reporting is heavily dependent on a well-controlled IT environment. Security of systems, data and infrastructure components are critical to e-commerce and e-payment for ICT deployment. Legislative and regulatory measures are very critical to the success of ICT deployment. Organizations must have comprehensive plan to develop the information security standards and ensure sustainability. Effectively managed ICT security can support achievement of business goals and objectives. the Information Management Security Conclusion Questions, Discussions, ….