Information Management Security
Download
Report
Transcript Information Management Security
Information Management Security
A Necessary Pre-requisite for ICT Deployment
for National Development in Nigeria
PRESENTED BY
DN S. B. BAMIDELE,
CISM, CGEIT, CSOXP, CCGP, CISA
Work Experience:
NIGERIA - NB plc and Lagos State Government
USA - KPMG, EDS, HP and Control Solutions
AT
“eNigeria 2010” International Conference
and Exhibition
18TH MAY, 2010
Information Management Security
Organization of Presentation
I.
II.
III.
IV.
The Critical Nature of Information Security
Wrong Perspectives to Information Security
Information Security Attacks and Hackers
E-Payment Attack Scenarios (Examples of
Security Challenges)
V.
Countermeasures (Organization,
Personnel, Technology, Processes
VI. Information Security Objectives
VII. Way Forward & Recommendations
VIII. Discussion & Conclusion
Information Management Security
The Critical Nature of Information Security
INTRODUCTION
Government and Enterprises have increasingly become
dependent on IT to facilitate business operations in this
era of global economy, cross-organization collaboration,
online trade and E-payment adoption.
The speed, accuracy, and integrity of information is
critical to the business. It's the difference between having
doubts about financial statements and being confident of
their accuracy.
Information Management Security is therefore critical to
an entity’s ability not only to survive, but also to thrive
and, more than ever, that businesses have “gone global” as
a result of expanding e-commerce capabilities.
Information Management Security
The Critical Nature of Information Security
CONCEPT OF E-COMMERCE - eNIGERIA
As applications fuel businesses, and increasingly complex
applications and their information are the lifeblood of today's
fast paced e-commerce businesses.
That means, the health and viability of an e-commerce
business is heavily dependent on the strength and security of
the ICT systems.
And as such, Information Management Security is a Necessary
Pre-requisite for ICT Deployment for National Development
in Nigeria, especially for the success of our “ICT4D plan and
Global E-Payment Adoption”.
Therefore to achieve our national development program of
Seven Point Agenda and vision 20-2020, ICT security must be
accorded the necessary priority by all.
Information Management Security
The Critical Nature of Information Security
DEFINITIONS
“Information security provides the assurance for trust,
confidentiality, integrity, availability of business
transactions and information; and ensure critical
confidential information is withheld from those who
should not have access to it.” - ISACA
All measures used to protect information assets from
deliberate or inadvertent unauthorized acquisition,
damage, disclosure, manipulation, modification, loss,
or use. – COBIT
Information Management Security
The Critical Nature of Information Security
CARDHOLDER DATA SECURITY – E-PAYMENT
The Payment Card Industry (PCI’s) developed Data
Security Standard (DSS) enhances cardholder data
security and facilitate the broad adoption of consistent
data security measures globally.
The PCI DSS security requirements apply to all system
components that is included in or connected to the
cardholder data environment:
Network
Server
Applications
Information Management Security
Wrong Perspectives to Information Security
SOME SOURCES OF EXPOSURE FOR EXECUTIVES
Failure to mandate the right security culture.
Failure to implement effective control framework.
Inability to embed risk management into corporate
strategy.
Not being able to detect what the most critical & significant
security weaknesses are and where they exist within the
organization.
Risk management investments
not well monitored.
Failure to measure performance of investments in
information security initiatives and, know what residual
security risks remains.
Information Management Security
Wrong Perspectives to Information Security
SOME SOURCES OF EXPOSURE ORGANIZATION-WIDE
That security is someone else’s responsibility.
No collaborative effort to link the security program to
business goals.
Exact role of information security not clearly defined.
Enterprises too often view information security in
isolation.
Some view it as solely a technical discipline.
Businesses still struggle to keep up with regulatory
requirements, economic conditions and risk
management.
Information Management Security
Wrong Perspectives to Information Security
SOME POPULAR FALLACIES
If I never log off then my computer can never get a
virus.
I got this disc from my (IT department, manager, boss,
mother, friend, spouse) so it must be okay.
But I only downloaded one file.
I am too smart to fall for a scam.
My friend... who knows a lot about computers showed
me this really cool site…
My vendor will protect me.
It is easy therefore for these
compartmentalized approach
to lead to weaknesses in security management, possibly
resulting in serious exposure.
Information Management Security
Information Security Attacks
POTENTIAL SECURITY ISSUES
Denial of Service (DoS) Attacks
Website Defacement or Modification
Viruses and Worms
Data Sniffing, Phishing, Spoofing, SMishing
Malicious Code and Trojans
Port-scanning and Probing
Wireless Attacks
Theft of Confidential Information
System Sabotage
Internal Staff Abusing Access
Financial Fraud Through Deception
Theft of Computer Equipment
Information Management Security
Information Security Attacks
120,000
Infection Attempts
900M
800M
Blended Threats
(CodeRed, Nimda, Slammer)
100,000
700M
Denial of Service
(Yahoo!, eBay)
600M
80,000
500M
300M
Malicious Code
Infection
Network
Attempts*
Intrusion
Attempts**
Zombies
200M
100M
60,000
Mass Mailer Viruses
(Love Letter/Melissa)
400M
Polymorphic Viruses
(Tequila)
20,000
0
0
1995
40,000
1996
1997
1998
1999
2000
2001
* Analysis by Symantec Security Response using data from Symantec, IDC & ICSA;
** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404
2002
Network Intrusion Attempts
World-Wide Cyber Attack Trends
Information Management Security
Information Security Attacks
TYPES OF E-FRAUD
Identity Theft
Extortion (reputation)
Salami Slice
Funds Transfer
Electronic Money Laundering
Information Management Security
Information Security Attacks
IDENTITY THEFT FOR E-PAYMENT FRAUD
Identity theft is when your personal information is stolen
and used illegally, especially for E-payment.
Keep financial data secret from unauthorized parties
(privacy)
CRYPTOGRAPHY
Verify that messages have not been altered in transit
(integrity)
HASH FUNCTIONS
Non-denial that a party engaged in a transaction
(non-
repudiation)
DIGITAL SIGNATURES
Verify identity of users (authentication)
PASSWORDS, PIN NUMBERS, SEURITY KEYS, DIGITAL CERTIFICATES
Information Management Security
E-Payment Attack Scenarios
Problem: ATM and Credit Card Frauds - a banking client case study
Some of Our Findings:
Identity theft by impersonation with fake email phishing,
SMS SMishing and website spoofing. Phishing email examples;
Your ABC bank account was temporarily suspended
Protect your ABC bank account
Update on your ABC bank account
ABC bank identity theft solutions
Identity theft by Packet sniffing to illegally capture packets
of data like passwords, IP addresses, protocols, etc, to break into
the network and databases.
Identity theft through internal staff releasing customer
information to friends and other collaborators.
Hacking by breaking into computer network, databases and
servers to retrieve information.
Information Management Security
E-Payment Attack Scenarios
Problem: ATM and Credit Card Frauds - a banking client case study
Security Solutions Offered:
“Email Security Code”, with name, last 4 digit of card and last
log-in date, in all emails to help customers verify that the
email was sent by the bank.
“Confirm your identity”, based on some factors, requires user
to receive an “identification code” via voice, text or e-mail on
file. User to enter code before a successful log-in to account.
Secure Sockets Layer (SSL) encrypts, or scrambles, user Ids,
passwords and account information en route and decode it at
the other end.
Information Management Security
E-Payment Attack Scenarios
Problem: ATM and Credit Card Frauds - a banking client case study
Security Solutions Offered:
Use of GRC authorization and Segregation of Duties tools to
minimize abuse of user access to incompatible combination
of sensitive customer account information.
Implement appropriate logging controls to check user abuses.
Use of a new account on the bank’s website payment
processing link requires verification with a small deposit and
a small withdrawal to be confirmed by the user.
Protection with firewalls, specialized hardware
& software to control all communications with the network.
Information Management Security
E-Payment Attack Scenarios
Problem: ATM and Credit Card Frauds - a banking client case study
Security Solutions Offered:
Using Dynamic Security Key, which creates random
temporary security codes on the go, in addition to pin and
card at the ATM machine. It comes in 2 types:
Token Security Key, a small car-remote sized device.
Mobile phone security key for receiving security code as
SMS on the go.
Constant monitoring of the security tools to
detect or proactively prevent security breaches.
Result: Customers increased by 86% in three months as a
consequence of increased trust in the bank’s security measures.
Information Management Security
E-Payment Attack Scenarios
Problem: Revenue leakages – an Energy, Oil & Gas client case study
Some of Our Findings:
Financial Fraud Through Deception: Customers
with overdue invoices were undetected and continue
to owe more from new purchases.
Unauthorized and Inappropriate Access to Systems:
Processing and collection of bad debts by unauthorized
personnel.
Security Solutions Offered
System controls to block sales orders until overdue
invoices are resolved.
System generated alert use for credit control management
Followed by appropriate recovery measures (dunning).
Result: Over $1.4m increase in revenue after two months.
Information Management Security
E-Payment Attack Scenarios
Problem: Fictitious contracts & overpayments–a Public sector client
case study
Some of Our Findings
Financial Fraud:
Duplicate invoice numbers exist for a vendor/contractor,
and/or duplicate order numbers exist for a contract.
Goods receipt are below or exceed the quantity in the
reference PO.
Invoice amount do not match goods receipt and/or quantity
listed on the reference PO.
Unauthorized and Inappropriate Access to Systems:
New or changed POs and contracts that contain invalid
service exist.
Information Management Security
E-Payment Attack Scenarios
Problem: Fictitious contracts & overpayments–a Public sector client
case study
Security Solutions Offered
System controls to prevent processing of duplicate invoice
numbers for same vendor/contractor.
System controls to prevent processing of receiving
quantities less or greater than listed in the reference PO.
System controls to perform a 3-way matching of purchase
orders, goods receipts, and invoices within a defined
tolerance limit before posting to the GL.
Use of GRC authorization and Segregation of Duties tools to
minimize abuse of user access to incompatible combination of
functions between requisition, purchasing, receiving,
invoicing and processing vendors’ payments.
Result: More than $2.5m savings in expenditure after 5 months.
Information Management Security
E-Payment Attack Scenarios
Problem: Risks and security concerns with Cloud Computing
Recommendations
Reputation, history & sustainability are factors to be
considered in choosing a provider.
Business continuity and disaster recovery plans must be
well documented and periodically tested.
Options to minimize impact if provider’s service is
interrupted.
Agreed-upon service levels (SLA) with the provider.
Define Backups and Recovery time objectives.
Proper classification and labeling of data for ease of
identification and to ensure data are not merged with
competitors’.
Transparency and a robust assurance approach of the
cloud provider’s security and control environment.
Information Management Security
Countermeasures
SUGGESTED SECURITY BEST PRACTICES
Complete reliance on the strength of IT based access controls.
Security policies, procedures and standards
Application and data ownership
Segregation of Duties
Logical and physical security
Super user privilege management
Compliant User provisioning with access approval
User based role management (unique access based on
need to know) and security administration
Virus protection
Authentication with any combination of ID, password,
pin, card, security code key on the go, biometric, etc
Information Management Security
Countermeasures
INFORMATION MANAGEMENT SECURITY ROAD MAP
Effective risk management requires a strong balance of;
Organizational support
Dedicated management
People
Staff members play a critical role in protecting the integrity,
confidentiality, and availability of IT systems and networks
Training, Awareness, Enforcement and Compensation
Selection of appropriate technology.
Firewalls
Intrusion Detection
Virus Protection
Authentication and Authorization
Encryption
Data and Information Backup
Information Management Security
Countermeasures
INFORMATION MANAGEMENT SECURITY ROAD MAP
Effective & well controlled processes
The PCI Security Standards Council’s required process to
mitigate emerging e-payment security risks has help a lot:
Build & Maintain a Secure Network
Security goals – operating, financial and strategic objectives
Risk factors impact analysis – internal and external
Evaluate and improve on existing security practices
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Each interacts with, impacts and supports the other, often in complex
ways, and if any one is deficient, information security is diminished.
Information Management Security
Information Security Objectives
Identification
Authorization
Integrity
Availability
Reliability
Authentication
Authorization
Access Control
Data Integrity
Confidentiality
Non-repudiation
Information Management Security
Information Security Objectives
BENEFITS OF SECURED E-PAYMENT ENVIRONMENT
Privacy to fight or stop identity theft.
Preventive measures to help stop ATM machine, online,
e-payment, bank account, etc, frauds.
Enhanced confidence in e-payment transactions.
Alert to potential victims of online frauds.
Strong measures that help protect online purchases.
Secure online banking transactions.
Information Management Security
Way Forward
GOVERNMENT’S ROLE
Political Will
In the US, Sarbanes-Oxley Act was passed by congress and signed
into law by the President on 30 July 2002.
It’s Section 404 requires senior management of public companies
and their auditors to annually assess and report on the design
and effectiveness of internal controls over financial reporting.
Fundamentally changed business and regulatory environment.
Enhances corporate governance through strong internal checks
and reporting.
Enforcement with high monetary & legal sanctions for non
compliance
Collaboration with States and other stakeholders
Massive awareness campaign
More work for NITDA and other relevant organs
Information Management Security
Way Forward
EXECUTIVE MANAGEMENTS’ ROLE
IT professionals, especially those in executive
positions, need to be well versed in internal
control frameworks and standards.
Government Officials, CEOs, CIOs and other executives
responsible for the implementation and management of
Information security must comply and take on the
challenges of:
Enhancing their knowledge of security & internal controls.
Understanding their organization’s overall Security needs
Developing and implementing an effective information
security & controls program.
Integrating this plan into the overall IT & corporate
strategies.
Information Management Security
Conclusion
Most would agree that the reliability of financial reporting
is heavily dependent on a well-controlled IT environment.
Security of systems, data and infrastructure components are
critical to e-commerce and e-payment for ICT deployment.
Legislative and regulatory measures are very critical to the
success of ICT deployment.
Organizations must have comprehensive plan to develop the
information security standards and ensure sustainability.
Effectively
managed ICT security can support
achievement of business goals and objectives.
the
Information Management Security
Conclusion
Questions, Discussions, ….