Information Management Security

advertisement
Information Management Security
A Necessary Pre-requisite for ICT Deployment
for National Development in Nigeria
PRESENTED BY
DN S. B. BAMIDELE,
CISM, CGEIT, CSOXP, CCGP, CISA
Work Experience:
NIGERIA - NB plc and Lagos State Government
USA - KPMG, EDS, HP and Control Solutions
AT
“eNigeria 2010” International Conference
and Exhibition
18TH MAY, 2010
Information Management Security
Organization of Presentation
I.
II.
III.
IV.
The Critical Nature of Information Security
Wrong Perspectives to Information Security
Information Security Attacks and Hackers
E-Payment Attack Scenarios (Examples of
Security Challenges)
V.
Countermeasures (Organization,
Personnel, Technology, Processes
VI. Information Security Objectives
VII. Way Forward & Recommendations
VIII. Discussion & Conclusion
Information Management Security
The Critical Nature of Information Security
INTRODUCTION
 Government and Enterprises have increasingly become
dependent on IT to facilitate business operations in this
era of global economy, cross-organization collaboration,
online trade and E-payment adoption.
 The speed, accuracy, and integrity of information is
critical to the business. It's the difference between having
doubts about financial statements and being confident of
their accuracy.
 Information Management Security is therefore critical to
an entity’s ability not only to survive, but also to thrive
and, more than ever, that businesses have “gone global” as
a result of expanding e-commerce capabilities.
Information Management Security
The Critical Nature of Information Security
CONCEPT OF E-COMMERCE - eNIGERIA
 As applications fuel businesses, and increasingly complex
applications and their information are the lifeblood of today's
fast paced e-commerce businesses.
 That means, the health and viability of an e-commerce
business is heavily dependent on the strength and security of
the ICT systems.
 And as such, Information Management Security is a Necessary
Pre-requisite for ICT Deployment for National Development
in Nigeria, especially for the success of our “ICT4D plan and
Global E-Payment Adoption”.
 Therefore to achieve our national development program of
Seven Point Agenda and vision 20-2020, ICT security must be
accorded the necessary priority by all.
Information Management Security
The Critical Nature of Information Security
DEFINITIONS
 “Information security provides the assurance for trust,
confidentiality, integrity, availability of business
transactions and information; and ensure critical
confidential information is withheld from those who
should not have access to it.” - ISACA
 All measures used to protect information assets from
deliberate or inadvertent unauthorized acquisition,
damage, disclosure, manipulation, modification, loss,
or use. – COBIT
Information Management Security
The Critical Nature of Information Security
CARDHOLDER DATA SECURITY – E-PAYMENT
 The Payment Card Industry (PCI’s) developed Data
Security Standard (DSS) enhances cardholder data
security and facilitate the broad adoption of consistent
data security measures globally.
 The PCI DSS security requirements apply to all system
components that is included in or connected to the
cardholder data environment:
 Network
 Server
 Applications
Information Management Security
Wrong Perspectives to Information Security
SOME SOURCES OF EXPOSURE FOR EXECUTIVES
 Failure to mandate the right security culture.
 Failure to implement effective control framework.
 Inability to embed risk management into corporate
strategy.
 Not being able to detect what the most critical & significant
security weaknesses are and where they exist within the
organization.
 Risk management investments
not well monitored.
 Failure to measure performance of investments in
information security initiatives and, know what residual
security risks remains.
Information Management Security
Wrong Perspectives to Information Security
SOME SOURCES OF EXPOSURE ORGANIZATION-WIDE
 That security is someone else’s responsibility.
 No collaborative effort to link the security program to




business goals.
Exact role of information security not clearly defined.
Enterprises too often view information security in
isolation.
Some view it as solely a technical discipline.
Businesses still struggle to keep up with regulatory
requirements, economic conditions and risk
management.
Information Management Security
Wrong Perspectives to Information Security
SOME POPULAR FALLACIES
 If I never log off then my computer can never get a
virus.
 I got this disc from my (IT department, manager, boss,
mother, friend, spouse) so it must be okay.
 But I only downloaded one file.
 I am too smart to fall for a scam.
 My friend... who knows a lot about computers showed
me this really cool site…
 My vendor will protect me.
 It is easy therefore for these
compartmentalized approach
to lead to weaknesses in security management, possibly
resulting in serious exposure.
Information Management Security
Information Security Attacks
POTENTIAL SECURITY ISSUES
 Denial of Service (DoS) Attacks
 Website Defacement or Modification
 Viruses and Worms
 Data Sniffing, Phishing, Spoofing, SMishing
 Malicious Code and Trojans
 Port-scanning and Probing
 Wireless Attacks
 Theft of Confidential Information
 System Sabotage
 Internal Staff Abusing Access
 Financial Fraud Through Deception
 Theft of Computer Equipment
Information Management Security
Information Security Attacks
120,000
Infection Attempts
900M
800M
Blended Threats
(CodeRed, Nimda, Slammer)
100,000
700M
Denial of Service
(Yahoo!, eBay)
600M
80,000
500M
300M
Malicious Code
Infection
Network
Attempts*
Intrusion
Attempts**
Zombies
200M
100M
60,000
Mass Mailer Viruses
(Love Letter/Melissa)
400M
Polymorphic Viruses
(Tequila)
20,000
0
0
1995
40,000
1996
1997
1998
1999
2000
2001
* Analysis by Symantec Security Response using data from Symantec, IDC & ICSA;
** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404
2002
Network Intrusion Attempts
World-Wide Cyber Attack Trends
Information Management Security
Information Security Attacks
TYPES OF E-FRAUD
 Identity Theft
 Extortion (reputation)
 Salami Slice
 Funds Transfer
 Electronic Money Laundering
Information Management Security
Information Security Attacks
IDENTITY THEFT FOR E-PAYMENT FRAUD
Identity theft is when your personal information is stolen
and used illegally, especially for E-payment.
 Keep financial data secret from unauthorized parties
(privacy)
 CRYPTOGRAPHY
 Verify that messages have not been altered in transit
(integrity)
 HASH FUNCTIONS
 Non-denial that a party engaged in a transaction
(non-
repudiation)
 DIGITAL SIGNATURES
 Verify identity of users (authentication)
 PASSWORDS, PIN NUMBERS, SEURITY KEYS, DIGITAL CERTIFICATES
Information Management Security
E-Payment Attack Scenarios
 Problem: ATM and Credit Card Frauds - a banking client case study
 Some of Our Findings:
 Identity theft by impersonation with fake email phishing,
SMS SMishing and website spoofing. Phishing email examples;




Your ABC bank account was temporarily suspended
Protect your ABC bank account
Update on your ABC bank account
ABC bank identity theft solutions
 Identity theft by Packet sniffing to illegally capture packets
of data like passwords, IP addresses, protocols, etc, to break into
the network and databases.
 Identity theft through internal staff releasing customer
information to friends and other collaborators.
 Hacking by breaking into computer network, databases and
servers to retrieve information.
Information Management Security
E-Payment Attack Scenarios
 Problem: ATM and Credit Card Frauds - a banking client case study
 Security Solutions Offered:
 “Email Security Code”, with name, last 4 digit of card and last
log-in date, in all emails to help customers verify that the
email was sent by the bank.
 “Confirm your identity”, based on some factors, requires user
to receive an “identification code” via voice, text or e-mail on
file. User to enter code before a successful log-in to account.
 Secure Sockets Layer (SSL) encrypts, or scrambles, user Ids,
passwords and account information en route and decode it at
the other end.
Information Management Security
E-Payment Attack Scenarios
 Problem: ATM and Credit Card Frauds - a banking client case study
 Security Solutions Offered:
 Use of GRC authorization and Segregation of Duties tools to
minimize abuse of user access to incompatible combination
of sensitive customer account information.
 Implement appropriate logging controls to check user abuses.
 Use of a new account on the bank’s website payment
processing link requires verification with a small deposit and
a small withdrawal to be confirmed by the user.
 Protection with firewalls, specialized hardware
& software to control all communications with the network.
Information Management Security
E-Payment Attack Scenarios
Problem: ATM and Credit Card Frauds - a banking client case study
 Security Solutions Offered:
 Using Dynamic Security Key, which creates random
temporary security codes on the go, in addition to pin and
card at the ATM machine. It comes in 2 types:
 Token Security Key, a small car-remote sized device.
 Mobile phone security key for receiving security code as
SMS on the go.
 Constant monitoring of the security tools to
detect or proactively prevent security breaches.
 Result: Customers increased by 86% in three months as a
consequence of increased trust in the bank’s security measures.
Information Management Security
E-Payment Attack Scenarios
 Problem: Revenue leakages – an Energy, Oil & Gas client case study
 Some of Our Findings:
 Financial Fraud Through Deception: Customers
with overdue invoices were undetected and continue
to owe more from new purchases.
 Unauthorized and Inappropriate Access to Systems:
Processing and collection of bad debts by unauthorized
personnel.
 Security Solutions Offered
 System controls to block sales orders until overdue
invoices are resolved.
 System generated alert use for credit control management
 Followed by appropriate recovery measures (dunning).
Result: Over $1.4m increase in revenue after two months.
Information Management Security
E-Payment Attack Scenarios
 Problem: Fictitious contracts & overpayments–a Public sector client
case study
 Some of Our Findings
 Financial Fraud:
Duplicate invoice numbers exist for a vendor/contractor,
and/or duplicate order numbers exist for a contract.
 Goods receipt are below or exceed the quantity in the
reference PO.
 Invoice amount do not match goods receipt and/or quantity
listed on the reference PO.
 Unauthorized and Inappropriate Access to Systems:
 New or changed POs and contracts that contain invalid
service exist.

Information Management Security
E-Payment Attack Scenarios
 Problem: Fictitious contracts & overpayments–a Public sector client
case study
 Security Solutions Offered
 System controls to prevent processing of duplicate invoice
numbers for same vendor/contractor.
 System controls to prevent processing of receiving
quantities less or greater than listed in the reference PO.
 System controls to perform a 3-way matching of purchase
orders, goods receipts, and invoices within a defined
tolerance limit before posting to the GL.
 Use of GRC authorization and Segregation of Duties tools to
minimize abuse of user access to incompatible combination of
functions between requisition, purchasing, receiving,
invoicing and processing vendors’ payments.
Result: More than $2.5m savings in expenditure after 5 months.
Information Management Security
E-Payment Attack Scenarios
 Problem: Risks and security concerns with Cloud Computing
 Recommendations
 Reputation, history & sustainability are factors to be






considered in choosing a provider.
Business continuity and disaster recovery plans must be
well documented and periodically tested.
Options to minimize impact if provider’s service is
interrupted.
Agreed-upon service levels (SLA) with the provider.
Define Backups and Recovery time objectives.
Proper classification and labeling of data for ease of
identification and to ensure data are not merged with
competitors’.
Transparency and a robust assurance approach of the
cloud provider’s security and control environment.
Information Management Security
Countermeasures
SUGGESTED SECURITY BEST PRACTICES
 Complete reliance on the strength of IT based access controls.
 Security policies, procedures and standards
 Application and data ownership
 Segregation of Duties
 Logical and physical security
 Super user privilege management
 Compliant User provisioning with access approval
 User based role management (unique access based on
need to know) and security administration
 Virus protection
 Authentication with any combination of ID, password,
pin, card, security code key on the go, biometric, etc
Information Management Security
Countermeasures
INFORMATION MANAGEMENT SECURITY ROAD MAP
Effective risk management requires a strong balance of;
 Organizational support
 Dedicated management
 People
 Staff members play a critical role in protecting the integrity,
confidentiality, and availability of IT systems and networks
 Training, Awareness, Enforcement and Compensation
 Selection of appropriate technology.
 Firewalls
 Intrusion Detection
 Virus Protection
 Authentication and Authorization
 Encryption
 Data and Information Backup
Information Management Security
Countermeasures
INFORMATION MANAGEMENT SECURITY ROAD MAP
 Effective & well controlled processes
The PCI Security Standards Council’s required process to
mitigate emerging e-payment security risks has help a lot:
 Build & Maintain a Secure Network



Security goals – operating, financial and strategic objectives
Risk factors impact analysis – internal and external
Evaluate and improve on existing security practices
 Protect Cardholder Data
 Maintain a Vulnerability Management Program
 Implement Strong Access Control Measures
 Regularly Monitor and Test Networks
 Maintain an Information Security Policy
Each interacts with, impacts and supports the other, often in complex
ways, and if any one is deficient, information security is diminished.
Information Management Security
Information Security Objectives
 Identification
 Authorization
 Integrity
 Availability
 Reliability
 Authentication
 Authorization
 Access Control
 Data Integrity
 Confidentiality
 Non-repudiation
Information Management Security
Information Security Objectives
BENEFITS OF SECURED E-PAYMENT ENVIRONMENT
 Privacy to fight or stop identity theft.
 Preventive measures to help stop ATM machine, online,




e-payment, bank account, etc, frauds.
Enhanced confidence in e-payment transactions.
Alert to potential victims of online frauds.
Strong measures that help protect online purchases.
Secure online banking transactions.
Information Management Security
Way Forward
GOVERNMENT’S ROLE
 Political Will
 In the US, Sarbanes-Oxley Act was passed by congress and signed
into law by the President on 30 July 2002.
 It’s Section 404 requires senior management of public companies
and their auditors to annually assess and report on the design
and effectiveness of internal controls over financial reporting.
 Fundamentally changed business and regulatory environment.
 Enhances corporate governance through strong internal checks
and reporting.
 Enforcement with high monetary & legal sanctions for non
compliance
 Collaboration with States and other stakeholders
 Massive awareness campaign
 More work for NITDA and other relevant organs
Information Management Security
Way Forward
EXECUTIVE MANAGEMENTS’ ROLE
 IT professionals, especially those in executive
positions, need to be well versed in internal
control frameworks and standards.
 Government Officials, CEOs, CIOs and other executives
responsible for the implementation and management of
Information security must comply and take on the
challenges of:
 Enhancing their knowledge of security & internal controls.
 Understanding their organization’s overall Security needs
 Developing and implementing an effective information
security & controls program.
 Integrating this plan into the overall IT & corporate
strategies.
Information Management Security
Conclusion
 Most would agree that the reliability of financial reporting
is heavily dependent on a well-controlled IT environment.
 Security of systems, data and infrastructure components are
critical to e-commerce and e-payment for ICT deployment.
 Legislative and regulatory measures are very critical to the
success of ICT deployment.
 Organizations must have comprehensive plan to develop the
information security standards and ensure sustainability.
 Effectively
managed ICT security can support
achievement of business goals and objectives.
the
Information Management Security
Conclusion
Questions, Discussions, ….
Download