information management security a necessary pre-requisite for ict deployment for national...

Information Management Security A Necessary Pre-requisite for ICT Deployment

for National Development in Nigeria

PRESENTED BY

DN S. B. BAMIDELE,CISM, CGEIT, CSOXP, CCGP, CISA

Work Experience:

NIGERIA - NB plc and Lagos State Government

USA - KPMG, EDS, HP and Control Solutions

AT

“eNigeria 2010” International Conference and Exhibition

18TH MAY, 2010

I. The Critical Nature of Information Security

II. Wrong Perspectives to Information Security

III. Information Security Attacks and Hackers

IV. E-Payment Attack Scenarios (Examples of Security Challenges)

V. Countermeasures (Organization, Personnel, Technology, Processes

VI. Information Security ObjectivesVII. Way Forward & RecommendationsVIII. Discussion & Conclusion

Information Management SecurityOrganization of Presentation

Information Management SecurityThe Critical Nature of Information Security

INTRODUCTION

Government and Enterprises have increasingly become dependent on IT to facilitate business operations in this era of global economy, cross-organization collaboration, online trade and E-payment adoption.

The speed, accuracy, and integrity of information is critical to the business. It's the difference between having doubts about financial statements and being confident of their accuracy.

Information Management Security is therefore critical to an entity’s ability not only to survive, but also to thrive and, more than ever, that businesses have “gone global” as a result of expanding e-commerce capabilities.


CONCEPT OF E-COMMERCE - eNIGERIA

As applications fuel businesses, and increasingly complex applications and their information are the lifeblood of today's fast paced e-commerce businesses.

That means, the health and viability of an e-commerce business is heavily dependent on the strength and security of the ICT systems.

And as such, Information Management Security is a Necessary Pre-requisite for ICT Deployment for National Development in Nigeria, especially for the success of our “ICT4D plan and Global E-Payment Adoption”.

Therefore to achieve our national development program of Seven Point Agenda and vision 20-2020, ICT security must be accorded the necessary priority by all.


DEFINITIONS

“Information security provides the assurance for trust, confidentiality, integrity, availability of business transactions and information; and ensure critical confidential information is withheld from those who should not have access to it.” - ISACA

All measures used to protect information assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use. – COBIT


CARDHOLDER DATA SECURITY – E-PAYMENT

The Payment Card Industry (PCI’s) developed Data Security Standard (DSS) enhances cardholder data security and facilitate the broad adoption of consistent data security measures globally.

The PCI DSS security requirements apply to all system components that is included in or connected to the cardholder data environment:NetworkServerApplications

Information Management SecurityWrong Perspectives to Information Security

SOME SOURCES OF EXPOSURE FOR EXECUTIVES

Failure to mandate the right security culture.Failure to implement effective control

framework.Inability to embed risk management into

corporate strategy.Not being able to detect what the most critical &

significant security weaknesses are and where they exist within the organization.

Risk management investments not well monitored. Failure to measure performance of investments

in information security initiatives and, know what residual security risks remains.

Information Management Security Wrong Perspectives to Information Security

SOME SOURCES OF EXPOSURE ORGANIZATION-WIDE

That security is someone else’s responsibility.No collaborative effort to link the security

program to business goals.Exact role of information security not clearly

defined. Enterprises too often view information

security in isolation.Some view it as solely a technical discipline.Businesses still struggle to keep up with

regulatory requirements, economic conditions and risk management.

Information Management Security Wrong Perspectives to Information Security

SOME POPULAR FALLACIES

If I never log off then my computer can never get a virus.

I got this disc from my (IT department, manager, boss, mother, friend, spouse) so it must be okay.

But I only downloaded one file.I am too smart to fall for a scam.My friend... who knows a lot about computers

showed me this really cool site…My vendor will protect me.It is easy therefore for these compartmentalized approach to lead to weaknesses in security management,

possibly resulting in serious exposure.

My ISP will

protect me!!!

Information Management SecurityInformation Security Attacks

POTENTIAL SECURITY ISSUES Denial of Service (DoS) AttacksWebsite Defacement or ModificationViruses and WormsData Sniffing, Phishing, Spoofing, SMishingMalicious Code and TrojansPort-scanning and ProbingWireless AttacksTheft of Confidential InformationSystem SabotageInternal Staff Abusing AccessFinancial Fraud Through DeceptionTheft of Computer Equipment

World-Wide Cyber Attack Trends

1995 1996 1997 1998 1999 2000 2001 2002

200M

300M

400M

500M

600M

700M

900M

0

Infe

cti

on

Att

em

pts

100M

800M

* Analysis by Symantec Security Response using data from Symantec, IDC & ICSA;

** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404

Ne

two

rk In

tru

sio

n A

tte

mp

ts

20,000

40,000

60,000

80,000

120,000

0

100,000Blended Threats

(CodeRed, Nimda, Slammer)

Denial of Service(Yahoo!, eBay)

Mass Mailer Viruses(Love Letter/Melissa)

Zombies

Polymorphic Viruses(Tequila)

Malicious CodeInfectionAttempts* Network

IntrusionAttempts**

Information Management Security Information Security Attacks


TYPES OF E-FRAUD

Identity Theft

Extortion (reputation)

Salami Slice

Funds Transfer

Electronic Money Laundering


IDENTITY THEFT FOR E-PAYMENT FRAUD

Identity theft is when your personal information is stolen and used illegally, especially for E-payment.

Keep financial data secret from unauthorized parties (privacy)

CRYPTOGRAPHY

Verify that messages have not been altered in transit (integrity)

HASH FUNCTIONS

Non-denial that a party engaged in a transaction (non-repudiation)

DIGITAL SIGNATURES

Verify identity of users (authentication) PASSWORDS, PIN NUMBERS, SEURITY KEYS, DIGITAL

CERTIFICATES

Information Management SecurityE-Payment Attack Scenarios

Problem: ATM and Credit Card Frauds - a banking client case study

Some of Our Findings: Identity theft by impersonation with fake email phishing,

SMS SMishing and website spoofing. Phishing email examples; Your ABC bank account was temporarily suspended Protect your ABC bank account Update on your ABC bank account ABC bank identity theft solutions

Identity theft by Packet sniffing to illegally capture packets of data like passwords, IP addresses, protocols, etc, to break into the network and databases.

Identity theft through internal staff releasing customer information to friends and other collaborators.

Hacking by breaking into computer network, databases and servers to retrieve information.



Security Solutions Offered: “Email Security Code”, with name, last 4 digit of

card and last log-in date, in all emails to help customers verify that the email was sent by the bank.

“Confirm your identity”, based on some factors, requires user to receive an “identification code” via voice, text or e-mail on file. User to enter code before a successful log-in to account.

Secure Sockets Layer (SSL) encrypts, or scrambles, user Ids, passwords and account information en route and decode it at the other end.



Security Solutions Offered: Use of GRC authorization and Segregation of Duties

tools to minimize abuse of user access to incompatible combination of sensitive customer account information.

Implement appropriate logging controls to check user abuses.

Use of a new account on the bank’s website payment processing link requires verification with a small deposit and a small withdrawal to be confirmed by the user.

Protection with firewalls, specialized hardware & software to control all communications with the

network.



Security Solutions Offered: Using Dynamic Security Key, which creates random temporary security codes on the go, in addition to pin

and card at the ATM machine. It comes in 2 types:

Token Security Key, a small car-remote sized device. Mobile phone security key for receiving security code

as SMS on the go.

Constant monitoring of the security tools to detect or proactively prevent security breaches.

Result: Customers increased by 86% in three months as a consequence of increased trust in the bank’s security measures.


Problem: Revenue leakages – an Energy, Oil & Gas client case study

Some of Our Findings: Financial Fraud Through Deception: Customers with overdue invoices were undetected and continue to owe more from new purchases.Unauthorized and Inappropriate Access to Systems:

Processing and collection of bad debts by unauthorized personnel.

Security Solutions OfferedSystem controls to block sales orders until overdue

invoices are resolved.System generated alert use for credit control

managementFollowed by appropriate recovery measures (dunning).

Result: Over $1.4m increase in revenue after two months.


Problem: Fictitious contracts & overpayments–a Public sector client case study

Some of Our FindingsFinancial Fraud:

Duplicate invoice numbers exist for a vendor/contractor, and/or duplicate order numbers exist for a contract.

Goods receipt are below or exceed the quantity in the reference PO.

Invoice amount do not match goods receipt and/or quantity listed on the reference PO.

Unauthorized and Inappropriate Access to Systems:

New or changed POs and contracts that contain invalid service exist.


Problem: Fictitious contracts & overpayments–a Public sector client case study

Security Solutions OfferedSystem controls to prevent processing of duplicate

invoice numbers for same vendor/contractor. System controls to prevent processing of receiving

quantities less or greater than listed in the reference PO.

System controls to perform a 3-way matching of purchase orders, goods receipts, and invoices within a defined tolerance limit before posting to the GL.

Use of GRC authorization and Segregation of Duties tools to minimize abuse of user access to incompatible combination of functions between requisition, purchasing, receiving, invoicing and processing vendors’ payments.

Result: More than $2.5m savings in expenditure after 5 months.


Problem: Risks and security concerns with Cloud ComputingRecommendations

Reputation, history & sustainability are factors to be considered in choosing a provider.

Business continuity and disaster recovery plans must be well documented and periodically tested.

Options to minimize impact if provider’s service is interrupted.

Agreed-upon service levels (SLA) with the provider.Define Backups and Recovery time objectives.Proper classification and labeling of data for ease of

identification and to ensure data are not merged with competitors’.

Transparency and a robust assurance approach of the cloud provider’s security and control environment.

Information Management SecurityCountermeasures

SUGGESTED SECURITY BEST PRACTICES Complete reliance on the strength of IT based access

controls. Security policies, procedures and standardsApplication and data ownershipSegregation of Duties Logical and physical security Super user privilege managementCompliant User provisioning with access approvalUser based role management (unique access based

on need to know) and security administrationVirus protectionAuthentication with any combination of ID,

password, pin, card, security code key on the go, biometric, etc


INFORMATION MANAGEMENT SECURITY ROAD MAPEffective risk management requires a strong balance of;Organizational support

Dedicated managementPeople

Staff members play a critical role in protecting the integrity, confidentiality, and availability of IT systems and networks

Training, Awareness, Enforcement and CompensationSelection of appropriate technology.

Firewalls Intrusion Detection Virus Protection Authentication and Authorization Encryption Data and Information Backup


INFORMATION MANAGEMENT SECURITY ROAD MAPEffective & well controlled processes The PCI Security Standards Council’s required process to mitigate emerging e-payment security risks has help a lot:

Build & Maintain a Secure Network Security goals – operating, financial and strategic

objectives Risk factors impact analysis – internal and external Evaluate and improve on existing security practices

Protect Cardholder DataMaintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy

Each interacts with, impacts and supports the other, often in complex ways, and if any one is deficient, information security is diminished.

Information Management SecurityInformation Security Objectives

Identification

Authorization

Integrity

Availability

Reliability

Authentication

Authorization

Access Control

Data Integrity

Confidentiality

Non-repudiation

Information Management Security Information Security Objectives

BENEFITS OF SECURED E-PAYMENT ENVIRONMENTPrivacy to fight or stop identity theft. Preventive measures to help stop ATM machine,

online, e-payment, bank account, etc, frauds.Enhanced confidence in e-payment transactions.Alert to potential victims of online frauds.Strong measures that help protect online purchases. Secure online banking transactions.

GOVERNMENT’S ROLEPolitical Will

In the US, Sarbanes-Oxley Act was passed by congress and signed into law by the President on 30 July 2002.

It’s Section 404 requires senior management of public companies and their auditors to annually assess and report on the design and effectiveness of internal controls over financial reporting.

Fundamentally changed business and regulatory environment.

Enhances corporate governance through strong internal checks and reporting.

Enforcement with high monetary & legal sanctions for non compliance

Collaboration with States and other stakeholdersMassive awareness campaign More work for NITDA and other relevant organs

Information Management SecurityWay Forward

EXECUTIVE MANAGEMENTS’ ROLE

IT professionals, especially those in executive positions, need to be well versed in internal control frameworks and standards. Government Officials, CEOs, CIOs and other

executives responsible for the implementation and management of Information security must comply and take on the challenges of:

Enhancing their knowledge of security & internal controls.

Understanding their organization’s overall Security needs

Developing and implementing an effective information security & controls program.

Integrating this plan into the overall IT & corporate strategies.

Information Management SecurityWay Forward

Most would agree that the reliability of financial reporting is heavily dependent on a well-controlled IT environment.

Security of systems, data and infrastructure components are critical to e-commerce and e-payment for ICT deployment.

Legislative and regulatory measures are very critical to the success of ICT deployment.

Organizations must have comprehensive plan to develop the information security standards and ensure sustainability.

Effectively managed ICT security can support the achievement of business goals and objectives.

Information Management SecurityConclusion

Questions, Discussions, ….

Information Management SecurityConclusion

information management security a necessary pre-requisite for ict deployment for national...

Documents

information security

ict security

integrity of information

information assets

data security standard

pci dss security requirements

global epayment adoption

cobit slide