Security concerns-with-e-commerce

Security Concerns with
e-Commerce
Bretttrout.com

Copyright 2001 Brett J. Trout

Electronic Communications Privacy
Act and Employers (ECPA)
 Enacted in 1986
 Amends Omnibus Crime Control Act


ECPA
 Prohibits interception of e-mail
 Prohibits access to stored e-mail
 Allows Employers to monitor employees
 Applies to both
 Accessing database
 Capturing keystrokes


ECPA Title II
 Prohibits intentional access of an electronic
communication service
 Relates to any stored electronic communication
 Email
 Fax
 etc.


ECPA Title II Exceptions
 Provider of the service
 AOL
 Employer

 Etc.

 Anyone with authorization
 Express
 Implied.


ECPA Title III
 Prohibits intentional interception of any
electronic communication
 Makes it a crime to capture email while
enroute


ECPA Title III Exceptions
 Employee consented
 impliedly
 expressly

 employment agreement

 email policy

 Employer interception must be in the ordinary
course of business


ECPA Take Home
 Employer can
 Monitor stored e-mail
 Intercept e-mail

 Give Employees express notice
 employment agreement
 email policy

 Monitor only in ordinary course of business
 Stop reading if e-mail is personal


Computer Fraud and Abuse Act
 Enacted in 1984 to stem computer crime
 Amended in 1996 (National Information
Infrastructure Protection Act) to criminalize:
 Threats to computer networks
 Release of viruses or worms

 Hacking

 Hijacking

 Destructive ecommerce activity


CFAA Makes it Illegal
 To knowingly access a computer without
authorization
 For fraudulent purposes
 To access confidential information

 To access financial information

 To cause damage to a computer system


Economic Espionage Act
 Enacted in 1996
 18 U.S.C. section 1831 et seq.

 Makes it illegal to take or receive
trade secrets
 Enacted to curb economic and
industrial espionage


EEA
 Civil Penalties
 Injunction

 Forfeiture of profits and instrumentalities
to government
 Criminal Penalties
 Injure or benefit - 10yr/250K/5M

 Benefit foreign power – 15yr/500K/10M


Hacking
 According to PriceWaterhouseCooper
 Hacking cost United States companies

$1.5 trillion in 2000

 World Trade Center insurable loss

$50 billion

 One year of hacking equals 30 Trade
Center attacks.

Types of Hacking
 Denial of Service Attack
 Packet Sniffing
 Spoofing
 Keystroke Monitoring
 Viruses
 Cracking
 Exploiting Holes
 Diddling


Denial of Service Attack
 Any action to prevent server from functioning
 Usually enlists unsecure computers to bombard
server with requests
 Floods server
 Prevents normal functioning

 Difficult to track down


Packet Sniffing
 Internet information travels in packets with
“header”
 Sniffer software searches for packets containing
these headers
 Used to audit and identify network packet traffic
 Can uncover passwords and/or usernames
 Easy to do
 Difficult to detect

Spoofing
 Pretending to be another user
 Includes

 Deceptive sender information (spam)

 Deceptive use of username and/or
password


Keystroke Monitoring
 Inexpensive software
 Installed on computer
 Hardwired to computer

 Allows
 Reconstruction of user’s activity
 Identification of usernames/passwords

 Illegal


Viruses
 Software that
 Modifies other software
 Replicates itself

 Sends itself on to other computers

 Types
 Replication
 DOS

 Data destruction


Virus Prevention
 Virus protection software
 Only works if it is turned on
 Constantly update

 Keep apprised of latest viruses
 Do not open attachments from unknown
senders


Virus Prevention
 Do not open files with extensions:
 .exe
 .vbs

 .pif

 Use Eudora, rather than Outlook


Cracking
 Defeating copy-protection
 Determining passwords/usernames
 Typically illegal


Exploiting Security Holes

 Microsoft XP e-wallet
 Unauthorized users could get credit card
information
 Microsoft Outlook
 Vulnerable to viruses
 Keep abreast of
 New developments
 Patches


Diddling
 Obtaining unauthorized access to
 Modify

 Delete

 Set time bomb


Insurance
 Typically very expensive
 Very good exercise to identify and address
problems


Insurance
 The number of companies who cited their
Internet connection as a frequent point of attack
has increased steadily from 47% in 1998 to 70%
in 2001.

Marsh Advantage America
Leisa Fox
www.netsecuresite.com


Insurance
 78% of companies acknowledged financial
losses due to computer breaches
 37% of companies are willing or able to quantify
their financial losses
 The most serious financial losses occur through
theft of proprietary information.
Marsh Advantage America-Leisa Fox


Misconceptions
 I have staff in place who are keeping me safe
 I have a firewall, so I’m protected
 Our network is password protected, so I’m doing all I
can.
 Our contracts transfer liability, so I have nothing to
worry about
 My employees would never do anything to jeopardize
my companies data


Risks
Legal Risks
Credibility Risks

Security Risks

Financial Risks


Legal Risks
 Defense Costs - exaggerated because of the lack of
current case law
 Inability to determine value of Intellectual Property

 Copyright/Trademark Infringement

 Libel/Slander & Defamation

 Plagiarism

 D&O suit for insufficient security measures

 Regulatory Costs


Security Risks
DigitalTerrorism
Internal Crime

External Crime

Virus Attacks


Credibility Risks

Organizationsthat experience security
breaches keep them quiet.
A breach can do grave damage to a
company’s reputation.


Financial Risks
Prior risks translate into costs:
Business Income Loss

Reconstruction of lost data

Investor Relationships

Defense Costs


Solutions
 Identify & Prioritize the risks
 Consider Technology Solutions

 Consider Process/Policy Solutions

 Transfer or Eliminate Risks that are to costly
to retain


Key People
 The C’s - CEO’s, CFO’s, CTO’s, CSO’s, CIO’s
 Human Resources

 IT

 Marketing

 Legal Counsel

 Risk Manager/Insurance Agent


Misconceptions
I have coverage under my package policy
 I have an E&O Policy that covers it

 I have an EDP Policy



Policies Cover
 Policies may include coverage for:
 Virus Attacks

 Data reconstruction

 Business Income Loss

 Disaster Recovery

 Defense Costs, etc.


Costs
 Pricing varies greatly based on exposures.
 Third party policies are vastly more affordable
than First party policies.
 You can expect to pay anywhere from $7,500 to
$100,000 for a Cyber Risk Policy.


Internet Privacy
You have zero privacy anyway
Get over it.

 Scott McNeally, Sun Microsystems CEO Wired
News (March 11, 1999)


Internet Privacy Policy
 Components
 Notice of Data Collection – How, What,
Why
 Choice – Partial or total “opt out”

 Access to Data – Option to modify or
delete
 Security


Internet Privacy
 Privacy Policy
 Develop one today
 Follow it
 Designate IT privacy czar

 Audit your policy - regularly


Consumer Privacy Protection Act
 Pending legislation
 Mandates privacy collection procedures
 Private Right of Action
 $50,000 statutory damages
 Punitive damages

 Attorney fees

 Something like this will become law


Cookies
 A computer science term
 An opaque piece of data held by an
intermediary


What is a Cookie?

 HTTP header
 Text-only string
 Associated with your browser
 Unique identifier
 Cannot be used as a virus

 Cannot access your hard drive.


Doubleclick
 Doubleclick used cookies to aggregate user
information
 Users sued
 SDNY Court held 3/28/2001
 No violation


Children’s Online Privacy
Protection Act

Requires the Federal Trade Commissioner to
issue and enforce regulations which
regulate the ability of Websites to collect
personal information from children under
the age of 13.


COPPA
 Passed into Law October 21, 1998
 Covers personal information collected after
April 21, 2000
 COPPA applies to
 Web sites and online services
 Targeted to, or know they are
 Collecting data
 From children under 13.


COPPA Requirements
 Post a privacy policy
 Conspicuous

 What data you collect

 What you do with it.

 Obtain verifiable consent from the child's parent
 Before you collect any data. Importantly

 Change in policy requires new consent


COPPA Requirements
 Give option to revoke consent
 Allow parents to review data collected
 Ensure security and integrity of the data you
collect.


Gramm-Leach Bliley

Subjects “financial institutions” to certain
reporting and disclosure requirements
intended to ensure the personal and
financial privacy of customers


“Financial Institution”
 Lending, exchanging, transferring, investing for
others, or safeguarding money or securities;
 Issuing or selling instruments representing
interests in pools of assets which a bank can
hold directly;
 Engaging in any activity … so closely related to
banking or managing … as to be a proper
incident thereto.


GLB Data Disclosure
 Opt out
 Prohibits disclosure by financial institution, without
allowing consumer to opt out.
 Third party disclosure
 Allowed for the purpose of permitting third party to
perform services for the financial institution.


GLB Data Disclosure
 Prohibits third party from disclosing nonpublic
personal information
 Unless disclosure would be lawful if made directly to
such other person by the financial institution.
 Prohibits sharing of account number
information for marketing purposes
 Different requirements for different levels of
relationships.


Health Insurance Portability and
Accountability Act

Forces health providers and insurers to use
technology in a more uniform, less
proprietary manner


HIPPA Goals

 Standardization

 Security

 Privacy


Areas of Focus
 Technical Security Services
 User authorization and authentication
 Access control and encryption
 Administrative Procedures
 Formal security planning
 Record maintenance and audits
 Physical Safeguards
 Security to building
 Privacy for workstations handling patient information


HIPPA
 Can apply to both health care and non-health
care entities
 Forces covered entities to uniformly transmit
and receive certain data electronically
 Requires the use of standard identifiers (rather
than proprietary codes) to identify health care
providers, employers, health plans and patients


Employers
 Must have written policies and notify employees
of HIPPA policies
 Must get consents to the release of certain
information in certain circumstances
 Must give employees access to their medical
records
 Must have contacts in place with providers to
insure that they safeguard information


Employers
 Identify stored health information and who has
access to it
 Identify how the information is used and its
flow
 Correlate all privacy policies
 Standardize all relevant third-party provider
contracts


European Union Directive on
Privacy
 Effective 25 October 1998
 Every EU must enact national law consistent
with the Directive
 Many EU countries had privacy laws before the
Directive


EU Directive
 World-wide standard
 Enforcement has begun in the U.S.


Compliance

 The Safe Harbor
 Specific contracts blessed by European Data
Protection Authorities
 Exceptions or derogations to the Directive


Safe Harbor
 Seven privacy principles issued by US
Department of Commerce on July 21, 2000 for
“personal data” collection


Seven Provisions
 Notice
 Opt in

 Opt out

 Security

 Maintain Integrity of Data

 Procedure for Data Correction

 Data Transfer


Notice
 Clear Language
 Purpose of Collection

 Contact information for inquiries or
complaints
 To whom you disclose information

 Options for limiting use and disclosure of
the information.

Opt in/Opt out
 Opt out
 Disclosed to third party
 Used for new purpose

 Opt in
 Sensitive information
 Race, health, union membership, sexual preference
 If disclosed to third party

 If used for new purpose


Security
 Loss
 Misuse
 Unauthorized access
 Disclosure
 Alteration
 Destruction.


Maintain Integrity of Data

 Reliable for intended use
 Accurate

 Complete

 Current.


Procedures For Correction
 Correct, amend, or delete inaccurate information
 Not necessary where:
 Burden much greater than potential harm
 Would compromise confidential information of
others


Data Transfer
 Must include
 Notice Provisions
 Choice Provisions

 Agent must
 Subscribe to the foregoing principles; or
 Enter into a written agreement requiring agent
provide at least the same level of privacy protection
as provider


Safe Harbor
 Access
 Individuals must have access to “their” information
 Ability to correct or remove inaccurate information
 “Disproportionate burden” exception
 Enforcement
 Mechanisms for investigating and resolving
complaints
 Procedures for verifying privacy statements

 Obligation to remedy problems

EU Directive
 Enforcement by competitors
 Failure to comply could lead to cut-off in data
and actions against European partners


Falling Under Safe Harbor
 Self-certification on DOC website
 Hard part - applying to business practices
 Financial services firms cannot join Safe Harbor
unless under the FTC


EU Directive
 Over 40 countries now have substantial privacy
laws
 Most either copy or comply with the EU Privacy
Directive


EU Directive
 Compliance requirement is real

 Safe Harbor likely best but not only option

 Don’t copy another company’s privacy policy


What To Do
 Audit current privacy practice
 Develop EU Directive conforming policy
 Comport practice with policy
 Require Warranties & Indemnities from third
parties using your data
 Encrypt data transmissions


Privacy Technology
 Establish Firewall
 Monitor Cookies – turn off as appropriate
 Run Virus Detection Software
 Anonymizer
 TRUSTe - will review your privacy policy
 Asymmetric cryptography
 Future technology
 Platform For Privacy Preferences
 Defines exactly the level of information disclosed


Additional Steps
 Security Policies
 Rotate passwords
 Monitor access and file transfer
 Implement network vulnerability study
 Implement a disaster recovery plan
 Limit modification of workstation
 Obtain insurance


Thank You


Security concerns-with-e-commerce

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (12)

Ähnlich wie Security concerns-with-e-commerce

Ähnlich wie Security concerns-with-e-commerce (20)

Mehr von Onkar Sule

Mehr von Onkar Sule (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Security concerns-with-e-commerce