Auditing e-Commerce Systems
May 24, 2001
Visit the AccountingWEB Workshop Calendar for upcoming sessions.
A solid foundation in the fundamentals of e-Commerce will make your better able to deal with the rapid changes in this area... and a vital resource in the process of identifying risk, security exposures, performance factors and reliability problems. This presentation examined a couple of the fundamental components of e-Commerce activities, including ideas for risk management oversight.
The complete transcript of the workshop is below.
Topics covered in the workshop included:
- What to look for in e-commerce offerings
- Mapping the business process to eliminate and reduce exposures
- A eye on fraud: 4 Tips for Merchant Account management
The Data Center
- What is a secure server
- Three threats to your computer systems
- Port Scanning & Firewalls
- Cryptography Basic
- Certificate of Authority
- Bugs & Browsers
Test your knowledge of the building blocks of technology with this QUIZ.
Quiz answers were covered during the workshop.
Session Moderator: Welcome everyone, and thank you so much for joining us today! I'm happy to introduce Glen Christopher, returning to the AccountingWEB workshop room for a presentation on auditing e-commerce systems.
Glen is a professional speaker, consultant and Internet trainer. Glen's presentations help businesses focus on the benefits of technology, including:
Explaining the benefits and uses of the Internet and its importance in a clear, easy-to-understand and entertaining way.
Linking the mystique of the Internet to real business issues to save money and solve problems, and
Providing solid strategies that you can use to improve customer service and win more business!
Welcome Glen, and thank you for being with us today!
Glen Christopher: Thanks for having me.
Warning Warning Warning Important news bulletin
There is an underground effort by Chinese Hackers, to penetrate American web sites. As tensions between China and the United States continue to simmer, hackers of both countries have begun to wage their own Internet war.
Patriotic Hackers Wage War on American Web Site - For more information see http://www.nipc.gov/warnings/advisories/2001/01-009.htm
Hi, this is Glen. Welcome to Auditing eCommerce Systems
Auditing systems, unlike the traditional attestation function, focuses on assurance services. Today's CPA needs to understand, even master, a broad range of computer and telephony topics in order to impact the quality of information used by decision makers.
Understanding the computer and telephony technologies will help you assess the proper implementation, operation and control of the eCommerce solution.
We will use the online quiz as the framework for discussing the topics listed in the seminar outline. For all who participated in the quiz, thank you. I tried to grade and reply to as many quizzes as I could. Forty-six people took the quiz on Tuesday. The average score was 68.6%. The most frequently missed questions were #4, #3, #7 and #9.
I have slightly more than an hour's worth of content. I welcome your questions and will try to answer as many as I can.
Oh? The thing about Chinese hackers at the top of the seminar? It’s real - and only underlines the need to understand the risk and a call to action based on the following information. Here we go.
1. Early networks (circa 1980) were primarily: a. Low-speed transmitting batch data to central mainframes; b. Ethernet Local Area Networks; c. Token Ring Local Area Networks
The correct answer is “a” low-speed networking. When I entered the business world 22 years ago, Anderson-Jacobson's 300-baud acoustic couple was state of the art. The speed of modems operating over the switched public network has increased steadily, to 56 kbps today.
Digital networking has ushered in phenomenal speeds. The broadband / ADSL access at my home-office measured 543 k bps earlier this week.
But it's the extensive infrastructure in dial up networking that represents the largest risk to your e-commerce environment. Practically every piece of computing / networking gear in the data center is provisioned with a maintenance port for remote access and diagnostics. Hackers using command dialers in search of maintenance ports are likely to find lots of targets. Consider the Cisco router.
The default password for a Cisco router is "cisco." In many organizations, router security is something that gets done when there is time, and there is never time. Unfortunately, many Cisco routers are still accessible via the default password.
In audits, several synoptic hubs and Motorola switches were found to be not password protected at all (Network Audits by Gordon Smith, pg. 132) even though the manual clearly states that passwords should be used.
Risk avoidance requires auditors to document and insist on procedures that validate password management on all network assets and disabling of maintenance ports when they are not in use.
2. Using cryptography to send credit card numbers over the Internet means the eCommerce server cannot be broken into? (True / False)
OK, so this was a trick question. But a fine entree into a discussion about server security. So what is a secure server? Establishing a secure server is like using or building a three legged stool.
First of all, a stool that is placed on an unstable platform will fail. The platform in this case, is the business policies and practices that contribute to solid operation. CPAs and auditors have an opportunity and an obligation to play in important role in the need for careful analysis, adapting standards, identifying redundant task and the other actions that disclose organizational risk and the development of reasonable measures to limit that risk.
Cryptography or data encryption is one leg of the stool. Guarding data in transit is vital to building trust and confidence with your customers. Unfortunately, hackers have the ability to spoof real time connections, injecting themselves between a server and a client, decryption, copying and re-encrypting messages in both directions. The system of certificate authorities offers protection against this kind of hacker activity.
The second leg of the stool is logical security of the server. While a firewall offers a level of protection for your eCommerce server, a firewall is no panacea. (And in one big way, a firewall is an oxymoron). Data center operations have to disable services and ports that represent opportunities for hackers to probe and break in (including the maintenance port on the server). According to Gordon Smith, author and president of canaudit.com, "locking down an NT server to prevent access by hackers is one of the most difficult chores facing IT auditors."
The third leg of the stool includes issues of physical integrity and security, including premise access, backup and restore processes, disaster recover, electrical power (it's amazing how many states are catering businesses in California) and the list goes on and on. While the seat of the stool might represent the eCommerce software, I like to parallel the seat with the single most important asset in the eCommerce solution, your people. Hiring honest people and organizing workflow to achieve separation of incompatible functions is a must. If we stretch our definition of eCommerce to include a company's computer based system for electronically allocating stock to employees. Few examples of the need to hire honest people and separate incompatible functions are as compelling as the recent theft of $6.3 million in Cisco System stock by two Cisco employees.
3. On Monday, March 3, 1997, who discovered that a specially written web page could trick Microsoft's latest browser into executing any user program? a. George Guninski; b. Paul Green; c. Time Berners-Lee
On Monday, March 3, 1997, Paul Green, a student at Worcester Polytechnic Institute, discovered that a specially written web page could trick Microsoft's Internet Explorer into executing practically any program with any input on a target computer. This bug effectively gave webmasters total control over any computer that visited a web site with Internet Explorer. Microsoft posted a fix to Greene's bug within 48 hours.
While this question and the answer to it may not tickle your fancy, consider the following 2 points:
1) As a percentage of the total number of employees with Internet Explorer running on their desktops in a business environment, how many went to the Microsoft web site, downloaded and installed the fix? As an answer to this question, I offer my liberal estimate of 1%.
2) What percentage of the hacker community routinely visits the Microsoft Web Site in search of situational vulnerabilities that they can use to launch an attack? Here I offer my conservative estimate of 99%!
Given the wide use of browsers in the workforce the number of companies that fail to implement and train employees on the use and risk of use of web browsers is amazing. Perhaps we think that the bugs in browser will be eliminated in the next release of the software. Lighting strikes twice, see question 4.
4. On Saturday, March 31, 2001, who posted a message stating that a specially written web page could trick Microsoft's latest browser into executing any user program? a. George Guninski; b. Paul Green; c. Time Berners-Lee
Just when you thought it was safe to go back in the water, George Guninski, shoots a hole in the secure vale of browsing on the Internet. Visiting a web site with Internet Explorer 5.5 could result in hackers reading your files and sending them to other servers on the Internet.
Session Moderator: So are you suggesting that people should consider alternatives to Explorer?
Glen Christopher: No, protecting our companies and the information on our systems means having policies and plans to stay abreast of what is going on.
The day before Mr. Guninski's alert, Microsoft warned that a security hole in IE 5.01 and 5.5 could cause the browser to automatically open HTML email attachments that could be used by an attacker to execute malicious code.
About those two questions I raised in the answer to quiz question number 3? ditto!
In my recent article on email etiquette, tip #8 reads as follows:
Avoid HTML based message formats. If communications between humans in 60% body language, 30% tone and inflection, and 10% what you say, then we loose 90% of our communications with email.
I am tickled by the number of people who want to encroach on the 90% by using HTML codes to spice up their message. Email with special fonts, colored text and embedded images are becoming more and more common. This is a dangerous trend.
There are two problems with HTML mail. First, unless the recipient uses an email client capable of displaying messages with HTML correctly, your message will be displayed on the receiver's computer as an unreadable mess! Assuming everybody uses the same “stuff” is shortsighted.
Both of these languages have profound security implications.
Simply stated, executing HTML based messages on your computer is tantamount to playing Russian roulette with your data. A virus, worm or Trojan Horse could be lurking in your inbox. And not as an attachment, but embedded in the message itself. Protect yourself and those you communicate with, avoid HTML based message formats.
Scott Cytron: Glen - I missed the first part, so pardon me if this is redundant. Are you suggesting plain-text messages only?
Glen Christopher: As a matter of etiquette, don't send HTML messages!
If you want to read the entire article, it's on my web site at http://glen.christopher.net under the tab/button for “articles”
One more thing?
Microsoft XP, the migration product for all those Windows ME systems, will include remote control features. Touted as a tool for Microsoft's customer service professionals, these will surely empower hackers, and offer hackers tools that will create grief for many companies and individuals. Personally, I will be one of the first to disable this feature.
Six more quiz questions to go
5. "Three bad passwords and the account is disabled," this is a feature of: a. Killer Cracker software; b. RACF password crackers; c. Intruder detection
The objective of an audit of passwords and access privileges normally includes: 1 - reviewing policies for separating incompatible functions and ensuring that they promote reasonable security, 2 - reviewing the privileges of a selection of user groups and individuals to determine if their rights are appropriate for their jobs and their assigned responsibilities, and 3 - certifying that employees formally acknowledge their responsibilities to maintain the confidentially of company data, and 4 - Assessing the adequacy of password standards such as length and expiration interval.
To this list, the CPA / Auditor should insist on adding the enabling of Intruder detection programs. The operating system equivalent to a fire alarm, product from companies like Haystack Labs (Webstalker) and IIS (ReahellolSecure) are available commercially. At a bare minimum, set up the system to disable accounts that have experienced three unsuccessful password attempts in a row.
6. The World Wide Web was invented by: a. Al Gore; b. Tim Berners-Lee; c. Paul Green
Tim Berners-Lee is the man. I consider his book, Weaving The Web a must read for anyone whose work touches the Internet in a significant way (that just about covers everybody).
7. SSL (Secure Socket Layer) is a system for automatically securing confidential data by verifying the password of the person requesting the data? (True / False)
SSL is a general-purpose cryptographic protocol for securing bi-directional communications or connections. SSL is the encryption system that is used by web browsers. SSL connections are usually initiated with the browser through the use of a special URL prefix. The prefix is imbedded in the web page source code, in the anchor tag, so unless you are creating web pages you will never see it.
The prefix “https:” is used to indicate an SSL-encrypted HTTP connection. SSL offers confidentiality, integrity, authentication and nonrepudiation. Sorry, SSL does not verify passwords - the correct answer is false.
8. A firewall is: a. A mathematical technique for scrambling information so that data sent from a browser to an eCommerce web site cannot be surreptitiously monitored; b. A device (or software) that isolates an organization's computer network from the Internet at large.
The correct answer is B.
Before we continue, I would like to break for a commercial announcement:
My full-day programs on eCommerce are available through a variety of organizations, including WesternCPE when you can earn CPE in a resort conference setting, join me in Orlando, Florida during the week of June 11 or later in the year in Monterey, California, Las Vegas, NV or the Bahamas. Visit www.WesternCPE.com for additional information.
Glen Christopher: :-) sun and fun
9. Which of the following does not belong in this group: a. VMSC; b. LOPHTCRACK; c. Verisign
Protecting our eCommerce investment means taking a look from the outside – in using the tools of the trade... the hacker community. The tools and techniques available to hackers are enviable. VMSC is a well-known VAX password cracker available on the Internet. LOPHTCRACK can harvest Windows NT passwords and crack them. Other software tools like Killer Cracker and RACF target Unix and OS/390 or MVS environments respectively. And the list goes on and on and on and on.
Verisign is a certificate authority. Verisign is the number one issuers of digital certificates. Verisign "c" does not belong in this group.
10. Which of the following techniques is the most practical way to protect information from eavesdropping as it travels over the Internet: a. Physically secure the network; b. Hide the information you wish to secure within information that appears innocuous; c. Encrypt the information so that it cannot be decoded by any person who does not have the proper key.
Cryptography (encryption) is a collection of techniques for keeping information secure. Dating back thousands of years, early systems were based on two techniques: substitution and transposition. Substitution is based on the principle of replacing each letter in the message you wish to encrypt with another one. Transposition is based on scrambling the characters that are in the message.
Today, encryption algorithms running on high-speed digital computers use both substitution and transposition in combination, as well as other mathematical functions. C is the correct answer.
I really wanted to spend some time talking about the four main components of eCommerce software solutions and mapping those concepts to business practices, but I ran out of prep time in organizing my thoughts for this meeting. Perhaps I can come back in the future and discuss that, tips for merchant account management and enabling alternative buying modalities to accommodate the wide range of customer types you'll service on the Internet.
Session Moderator: You are always welcome to return!
Glen Christopher: Are there any question on the quiz?
I recently saw a lowered forecast for eCommerce sales in the year 2005. It was from one of the big consulting companies, Gardner, I think. Lowering annual sales estimates from some $7.8 billion to $6.6 billion ( I am guessing here). My response "Doesn't sound like a bust to me... looks like all of us have a lot of work to do!"
Glen Christopher: Have a great afternoon everyone
Cindy Schmidgall: You too. Thank you.
Michael Platt: Good bye and thanks.
Session Moderator: Glen - thank you so much for being with us today and for sharing all of this great information! And thank you all for coming today!
Glen Christopher: You are welcome.
Glen Christopher is a professional speaker, consultant and Internet trainer. Glen's presentations help businesses focus on the benefits of technology, including:
- Explaining the benefits and uses of the Internet and its importance in a clear, easy-to-understand and entertaining way
- Linking the mystique of the Internet to real business issues to save money and solve problems, and
- Providing solid strategies that you can use to improve customer service and win more business!
Voice of the Editor
Which isn’t completely true. I mean, occasionally I drop by when I manage to sneak out of the nonstop frat party over at Going Concern, but I’m mostly a wallflower over there. I’m happy to say that I’ve been given express permission (or explicit orders, if you like) to wander over here to AccountingWEB more often.
Why is that, you might ask? My job is to replace the irreplaceable Gail Perry as Editor-in-Chief. What does that mean? I don’t really know! I think it’ll be fun getting a feel for things, throwing in my own thoughts here and there, and listening to the discussions you’re having about the accounting profession.