Your SlideShare is downloading. ×
Security concerns-with-e-commerce
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Security concerns-with-e-commerce

821
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
821
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security Concerns with e-Commerce Bretttrout.com Copyright 2001 Brett J. Trout
  • 2. Electronic Communications Privacy Act and Employers (ECPA) Enacted in 1986 Amends Omnibus Crime Control Act Copyright 2001 Brett J. Trout
  • 3. ECPA Prohibits interception of e-mail Prohibits access to stored e-mail Allows Employers to monitor employees Applies to both  Accessing database  Capturing keystrokes Copyright 2001 Brett J. Trout
  • 4. ECPA Title II Prohibits intentional access of an electronic communication service Relates to any stored electronic communication  Email  Fax  etc. Copyright 2001 Brett J. Trout
  • 5. ECPA Title II Exceptions Provider of the service  AOL  Employer  Etc. Anyone with authorization  Express  Implied. Copyright 2001 Brett J. Trout
  • 6. ECPA Title III Prohibits intentional interception of any electronic communication Makes it a crime to capture email while enroute Copyright 2001 Brett J. Trout
  • 7. ECPA Title III Exceptions Employee consented  impliedly  expressly  employment agreement  email policy Employer interception must be in the ordinary course of business Copyright 2001 Brett J. Trout
  • 8. ECPA Take Home Employer can  Monitor stored e-mail  Intercept e-mail Give Employees express notice  employment agreement  email policy Monitor only in ordinary course of business Stop reading if e-mail is personal Copyright 2001 Brett J. Trout
  • 9. Computer Fraud and Abuse Act Enacted in 1984 to stem computer crime Amended in 1996 (National Information Infrastructure Protection Act) to criminalize:  Threats to computer networks  Release of viruses or worms  Hacking  Hijacking  Destructive ecommerce activity Copyright 2001 Brett J. Trout
  • 10. CFAA Makes it Illegal To knowingly access a computer without authorization  For fraudulent purposes  To access confidential information  To access financial information  To cause damage to a computer system Copyright 2001 Brett J. Trout
  • 11. Economic Espionage Act Enacted in 1996 18 U.S.C. section 1831 et seq. Makes it illegal to take or receive trade secrets Enacted to curb economic and industrial espionage Copyright 2001 Brett J. Trout
  • 12. EEA Civil Penalties  Injunction  Forfeiture of profits and instrumentalities to government Criminal Penalties  Injure or benefit - 10yr/250K/5M  Benefit foreign power – 15yr/500K/10M Copyright 2001 Brett J. Trout
  • 13. Hacking According to PriceWaterhouseCooper  Hacking cost United States companies $1.5 trillion in 2000  World Trade Center insurable loss $50 billion One year of hacking equals 30 Trade Center attacks. Copyright 2001 Brett J. Trout
  • 14. Types of Hacking Denial of Service Attack Packet Sniffing Spoofing Keystroke Monitoring Viruses Cracking Exploiting Holes Diddling Copyright 2001 Brett J. Trout
  • 15. Denial of Service Attack Any action to prevent server from functioning Usually enlists unsecure computers to bombard server with requests  Floods server  Prevents normal functioning  Difficult to track down Copyright 2001 Brett J. Trout
  • 16. Packet Sniffing Internet information travels in packets with “header” Sniffer software searches for packets containing these headers Used to audit and identify network packet traffic Can uncover passwords and/or usernames Easy to do Difficult to detect Copyright 2001 Brett J. Trout
  • 17. Spoofing Pretending to be another user Includes  Deceptive sender information (spam)  Deceptive use of username and/or password Copyright 2001 Brett J. Trout
  • 18. Keystroke Monitoring Inexpensive software  Installed on computer  Hardwired to computer Allows  Reconstruction of user’s activity  Identification of usernames/passwords Illegal Copyright 2001 Brett J. Trout
  • 19. Viruses Software that  Modifies other software  Replicates itself  Sends itself on to other computers Types  Replication  DOS  Data destruction Copyright 2001 Brett J. Trout
  • 20. Virus Prevention Virus protection software  Only works if it is turned on  Constantly update Keep apprised of latest viruses Do not open attachments from unknown senders Copyright 2001 Brett J. Trout
  • 21. Virus Prevention Do not open files with extensions:  .exe  .vbs  .pif Use Eudora, rather than Outlook Copyright 2001 Brett J. Trout
  • 22. Cracking Defeating copy-protection Determining passwords/usernames Typically illegal Copyright 2001 Brett J. Trout
  • 23. Exploiting Security Holes Microsoft XP e-wallet  Unauthorized users could get credit card information Microsoft Outlook  Vulnerable to viruses Keep abreast of  New developments  Patches Copyright 2001 Brett J. Trout
  • 24. Diddling Obtaining unauthorized access to  Modify  Delete  Set time bomb Copyright 2001 Brett J. Trout
  • 25. Insurance Typically very expensive Very good exercise to identify and address problems Copyright 2001 Brett J. Trout
  • 26. Insurance The number of companies who cited their Internet connection as a frequent point of attack has increased steadily from 47% in 1998 to 70% in 2001. Marsh Advantage America Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 27. Insurance 78% of companies acknowledged financial losses due to computer breaches 37% of companies are willing or able to quantify their financial losses The most serious financial losses occur through theft of proprietary information. Marsh Advantage America-Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 28. Misconceptions I have staff in place who are keeping me safe I have a firewall, so I’m protected Our network is password protected, so I’m doing all I can. Our contracts transfer liability, so I have nothing to worry about My employees would never do anything to jeopardize my companies data Copyright 2001 Brett J. Trout
  • 29. Risks Legal Risks Credibility Risks Security Risks Financial RisksMarsh Advantage America-Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 30. Legal Risks Defense Costs - exaggerated because of the lack of current case law Inability to determine value of Intellectual Property Copyright/Trademark Infringement Libel/Slander & Defamation Plagiarism D&O suit for insufficient security measures Regulatory Costs Copyright 2001 Brett J. Trout
  • 31. Security Risks DigitalTerrorism Internal Crime External Crime Virus AttacksMarsh Advantage America-Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 32. Credibility RisksOrganizationsthat experience security breaches keep them quiet.A breach can do grave damage to a company’s reputation. Marsh Advantage America-Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 33. Financial Risks Prior risks translate into costs:Business Income LossReconstruction of lost dataInvestor RelationshipsDefense Costs Marsh Advantage America-Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 34. Solutions Identify & Prioritize the risks Consider Technology Solutions Consider Process/Policy Solutions Transfer or Eliminate Risks that are to costly to retain Marsh Advantage America-Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 35. Key People The C’s - CEO’s, CFO’s, CTO’s, CSO’s, CIO’s Human Resources IT Marketing Legal Counsel Risk Manager/Insurance Agent Marsh Advantage America-Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 36. MisconceptionsI have coverage under my package policy I have an E&O Policy that covers it I have an EDP Policy Marsh Advantage America-Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 37. Policies Cover Policies may include coverage for:  Virus Attacks  Data reconstruction  Business Income Loss  Disaster Recovery  Defense Costs, etc. Marsh Advantage America-Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 38. Costs Pricing varies greatly based on exposures. Third party policies are vastly more affordable than First party policies. You can expect to pay anywhere from $7,500 to $100,000 for a Cyber Risk Policy. Marsh Advantage America-Leisa Fox www.netsecuresite.com Copyright 2001 Brett J. Trout
  • 39. Internet Privacy You have zero privacy anyway Get over it. Scott McNeally, Sun Microsystems CEO Wired News (March 11, 1999) Copyright 2001 Brett J. Trout
  • 40. Internet Privacy Policy Components  Notice of Data Collection – How, What, Why  Choice – Partial or total “opt out”  Access to Data – Option to modify or delete  Security Copyright 2001 Brett J. Trout
  • 41. Internet Privacy Privacy Policy  Develop one today  Follow it Designate IT privacy czar Audit your policy - regularly Copyright 2001 Brett J. Trout
  • 42. Consumer Privacy Protection Act Pending legislation Mandates privacy collection procedures Private Right of Action  $50,000 statutory damages  Punitive damages  Attorney fees Something like this will become law Copyright 2001 Brett J. Trout
  • 43. Cookies A computer science term  An opaque piece of data held by an intermediary Copyright 2001 Brett J. Trout
  • 44. What is a Cookie? HTTP header Text-only string Associated with your browser Unique identifier  Cannot be used as a virus  Cannot access your hard drive. Copyright 2001 Brett J. Trout
  • 45. Doubleclick Doubleclick used cookies to aggregate user information Users sued SDNY Court held 3/28/2001  No violation Copyright 2001 Brett J. Trout
  • 46. Children’s Online Privacy Protection ActRequires the Federal Trade Commissioner to issue and enforce regulations which regulate the ability of Websites to collect personal information from children under the age of 13. Copyright 2001 Brett J. Trout
  • 47. COPPA Passed into Law October 21, 1998 Covers personal information collected after April 21, 2000 COPPA applies to  Web sites and online services  Targeted to, or know they are  Collecting data  From children under 13. Copyright 2001 Brett J. Trout
  • 48. COPPA Requirements Post a privacy policy  Conspicuous  What data you collect  What you do with it. Obtain verifiable consent from the childs parent  Before you collect any data. Importantly  Change in policy requires new consent Copyright 2001 Brett J. Trout
  • 49. COPPA Requirements Give option to revoke consent Allow parents to review data collected Ensure security and integrity of the data you collect. Copyright 2001 Brett J. Trout
  • 50. Gramm-Leach BlileySubjects “financial institutions” to certain reporting and disclosure requirements intended to ensure the personal and financial privacy of customers Copyright 2001 Brett J. Trout
  • 51. “Financial Institution” Lending, exchanging, transferring, investing for others, or safeguarding money or securities; Issuing or selling instruments representing interests in pools of assets which a bank can hold directly; Engaging in any activity … so closely related to banking or managing … as to be a proper incident thereto. Copyright 2001 Brett J. Trout
  • 52. GLB Data Disclosure Opt out  Prohibits disclosure by financial institution, without allowing consumer to opt out. Third party disclosure  Allowed for the purpose of permitting third party to perform services for the financial institution. Copyright 2001 Brett J. Trout
  • 53. GLB Data Disclosure Prohibits third party from disclosing nonpublic personal information  Unless disclosure would be lawful if made directly to such other person by the financial institution. Prohibits sharing of account number information for marketing purposes Different requirements for different levels of relationships. Copyright 2001 Brett J. Trout
  • 54. Health Insurance Portability and Accountability ActForces health providers and insurers to use technology in a more uniform, less proprietary manner Copyright 2001 Brett J. Trout
  • 55. HIPPA Goals Standardization Security Privacy Copyright 2001 Brett J. Trout
  • 56. Areas of Focus Technical Security Services  User authorization and authentication  Access control and encryption Administrative Procedures  Formal security planning  Record maintenance and audits Physical Safeguards  Security to building  Privacy for workstations handling patient information Copyright 2001 Brett J. Trout
  • 57. HIPPA Can apply to both health care and non-health care entities Forces covered entities to uniformly transmit and receive certain data electronically Requires the use of standard identifiers (rather than proprietary codes) to identify health care providers, employers, health plans and patients Copyright 2001 Brett J. Trout
  • 58. Employers Must have written policies and notify employees of HIPPA policies Must get consents to the release of certain information in certain circumstances Must give employees access to their medical records Must have contacts in place with providers to insure that they safeguard information Copyright 2001 Brett J. Trout
  • 59. Employers Identify stored health information and who has access to it Identify how the information is used and its flow Correlate all privacy policies Standardize all relevant third-party provider contracts Copyright 2001 Brett J. Trout
  • 60. European Union Directive on Privacy Effective 25 October 1998 Every EU must enact national law consistent with the Directive Many EU countries had privacy laws before the Directive Copyright 2001 Brett J. Trout
  • 61. EU Directive World-wide standard Enforcement has begun in the U.S. Copyright 2001 Brett J. Trout
  • 62. Compliance The Safe Harbor Specific contracts blessed by European Data Protection Authorities Exceptions or derogations to the Directive Copyright 2001 Brett J. Trout
  • 63. Safe Harbor Seven privacy principles issued by US Department of Commerce on July 21, 2000 for “personal data” collection Copyright 2001 Brett J. Trout
  • 64. Seven Provisions Notice Opt in Opt out Security Maintain Integrity of Data Procedure for Data Correction Data Transfer Copyright 2001 Brett J. Trout
  • 65. Notice Clear Language Purpose of Collection Contact information for inquiries or complaints To whom you disclose information Options for limiting use and disclosure of the information. Copyright 2001 Brett J. Trout
  • 66. Opt in/Opt out Opt out  Disclosed to third party  Used for new purpose Opt in  Sensitive information  Race, health, union membership, sexual preference  If disclosed to third party  If used for new purpose Copyright 2001 Brett J. Trout
  • 67. Security Loss Misuse Unauthorized access Disclosure Alteration Destruction. Copyright 2001 Brett J. Trout
  • 68. Maintain Integrity of Data Reliable for intended use Accurate Complete Current. Copyright 2001 Brett J. Trout
  • 69. Procedures For Correction Correct, amend, or delete inaccurate information Not necessary where:  Burden much greater than potential harm  Would compromise confidential information of others Copyright 2001 Brett J. Trout
  • 70. Data Transfer Must include  Notice Provisions  Choice Provisions Agent must  Subscribe to the foregoing principles; or  Enter into a written agreement requiring agent provide at least the same level of privacy protection as provider Copyright 2001 Brett J. Trout
  • 71. Safe Harbor Access  Individuals must have access to “their” information  Ability to correct or remove inaccurate information  “Disproportionate burden” exception Enforcement  Mechanisms for investigating and resolving complaints  Procedures for verifying privacy statements  Obligation to remedy problems Copyright 2001 Brett J. Trout
  • 72. EU Directive Enforcement by competitors Failure to comply could lead to cut-off in data and actions against European partners Copyright 2001 Brett J. Trout
  • 73. Falling Under Safe Harbor Self-certification on DOC website  Hard part - applying to business practices Financial services firms cannot join Safe Harbor unless under the FTC Copyright 2001 Brett J. Trout
  • 74. EU Directive Over 40 countries now have substantial privacy laws Most either copy or comply with the EU Privacy Directive Copyright 2001 Brett J. Trout
  • 75. EU Directive Compliance requirement is real Safe Harbor likely best but not only option Don’t copy another company’s privacy policy Copyright 2001 Brett J. Trout
  • 76. What To Do Audit current privacy practice Develop EU Directive conforming policy Comport practice with policy Require Warranties & Indemnities from third parties using your data Encrypt data transmissions Copyright 2001 Brett J. Trout
  • 77. Privacy Technology Establish Firewall Monitor Cookies – turn off as appropriate Run Virus Detection Software Anonymizer TRUSTe - will review your privacy policy Asymmetric cryptography Future technology  Platform For Privacy Preferences  Defines exactly the level of information disclosed Copyright 2001 Brett J. Trout
  • 78. Additional Steps Security Policies Rotate passwords Monitor access and file transfer Implement network vulnerability study Implement a disaster recovery plan Limit modification of workstation Obtain insurance Copyright 2001 Brett J. Trout
  • 79. Thank You Copyright 2001 Brett J. Trout