CASE DESCRIPTION

Lux Insurance Brokers (LIB) is an insurance brokerage firm based in Sydney, New South Wales, Australia. LIB provides house, car and life insurance to individuals residing in Australia. In the last couple of years, LIB has developed an online business model to complement its storefronts. LIB has a different online business model from the other insurance brokers who maintain an online presence. LIB’s competitors search out the best insurance pricing for their clients. While the broker facilitates the relationship, the final transaction is between the client and the insurance company directly. The broker subsequently receives a commission from the insurance company. Conversely, LIB provides a one-stop service for its clients, from search to completion of the contract. LIB charges a fee to the client and takes no commission from the insurance company. Under a new Australian law, LIB is able to produce the insurance contract and send it electronically to the client and insurance company, without requiring that the client sign it. The director of IT heads the IT functions at LIB. Reporting to the director are the managers of the program development, network operations and operations groups.

Pricing of insurance products for individuals is highly dependent on a small number of factors, including creditworthiness, claim history and the nature of risk insured. Approximately 70 percent of the online business conducted by LIB is vehicle insurance. LIB validates the client’s credit card number against credit history, vehicle identification number (VIN) against the Department of Motor Vehicles (DMV) registration database, and client information against the shared database of policy claim and payment history maintained by the Insurance Industry Information Council (IIIC). All of this information is collected from the client on the Internet. Credit card payment for the policy comes from the client after final processing of the policy.

The client interacts with a web-based system. The client registers on the web site and provides all requested personal and insurance information. The system uses a complex set of JavaScript codes to keep the transaction alive, as the client clicks from page to page and interacts with LIB’s own back-end systems as well as the systems of the DMV, IIIC, etc. LIB’s databases and temporary files in the LIB file systems cache some of the data transmitted to and from these third parties. Some data pass directly through to the third party without caching. The web site provides no information on the handling of the data for the clients. The client can allow an automatic logon to the site. The browser’s cookie file stores the challenge information (username and password). When clients forget their username and/or password, they can answer a challenge question to retrieve the information by e-mail.

The JavaScript codes, used by LIB for its web interaction with clients, are derived from a stock suite of e-commerce code that is sold by a local Australian e-commerce software developer. The e-commerce code is self-documenting. This means the body of the code incorporates all the help files and guidance for the integrator. The software developer finds this more efficient than providing a series of manuals. Most clients do not use all the available code in the suite and alter the code to respond to the particular development environment. Indeed, the development team in the LIB program development IT group has made a series of code changes to the JavaScript to increase performance and meet particular business needs. These changes have also been self-documented.

A ColdFusion web management system manages interactions between the JavaScript code and the back-end and third-party systems. The LIB program development IT staff code the ColdFusion application. The network operations group also wrote and maintains some specialist code in the PHP language. The quality assurance team in the program development group is responsible for stress testing the online applications.

The operations group maintains a range of hardware platforms including mainframes and distributed systems (e.g., UNIX, Windows and Netware). The network operations group manages a range of network components (e.g., ISDN, routers and firewalls). The operations manager, program development manager and network operations manager share responsibility for security at LIB. Each group maintains a formal security plan. The three managers, together with the director of IT and the director of internal audit, form a security task force that meets twice a year as the security management committee to co-ordinate security developments and plans. The network operations group includes a manager of network security, who is responsible for the security of internal and external networks.

Neither the operations manager nor the program development manager considers that his/her group is sufficiently large to warrant a full-time security person. The responsibility for security is 40 percent of the job responsibilities of the assistant manager of operations in the operations group and 30 percent of the job responsibilities of the quality manager in the program development group. While no formal security plan is prepared, each of the three groups is required to report to the biannual meeting of the security management committee. The report from each group should include a listing of security breaches and identified security vulnerabilities, but not every report includes such detail and sometimes the reports are somewhat sketchy.

Recently, the manager of network security in the network operations group has been reading about the risks that arise from cross-site scripting (XSS). This form of Internet vulnerability arises from a third party inserting malicious code in the clickstream between browser and server. While the malicious code can run on either the server or client side, most examples of XSS are on the client’s web browser. The fraudster exploits the intelligence of the web browser to hijack the browser and run JavaScript applets that may retrieve information from the client’s cookie file or send user data, including passwords and login information, to the third party.

The security manager in the network operations group raises the possibility that LIB may be susceptible to XSS in his/her report to the security management committee. He/She also notes that it does not seem to be a vulnerability that affects the network operations group, as it does not influence the availability or vulnerability of LIB’s Internet connectivity, intranet or other proprietary networks. The committee noted the report.

QUESTIONS

1. 1. What are the key security risks in the LIB e-commerce environment?

1. 2. A significant threat in this case is code injection attacks. Given the different types of injection attacks, between cross site scripting (XSS) and other forms. Support your case for the need to address code injection attacks by researching the topic and citing actual incidents and statistics illustrating the associated risks.

1. 3. Wherever possible, map the facts set out in the case to the detailed control objectives in the COBIT process DS5 ensure systems security. Identify evident control weaknesses. Use this information to develop an internal control checklist that the company can use for self-assessments in the future.

1. 4. Now that you understand the threat and the business environment, put yourself in the role of an external consultant on IT control systems and audit. The audit committee of LIB has become aware of LIB’s potential liability to XSS. The committee hired you on 1 April to provide a preliminary analysis on the vulnerability of LIB to XSS and on the current state of the security plan and security preparedness of LIB. Write a one-page memo (dated 10 April) to the audit committee. Make recommendations on:

–The immediate handling of the XSS threat to LIB

–Improvement in the management of security at LIB

Draw on the DS5 ensure systems security management and implementation guidelines in devising your recommendations. In writing your memo, consider the types of audit and inquiry procedures you might undertake in your investigation.

Source: COBIT in Academia Caselets