Chapter 10: Electronic Commerce Security

Slides:



Advertisements
Similar presentations
Threats and Protection Mechanisms
Advertisements

Implementing Electronic Commerce Security Gary Schneider, 2003
Chapter 17: WEB COMPONENTS
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Chapter 5 Security Threats to Electronic Commerce.
Security Threats to Electronic Commerce
Security Threats to Electronic Commerce
Chapter 5 Security Threats to Electronic Commerce
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Electronic Commerce Security Presented by: Chris Brawley Chris Avery.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.
Implementing Electronic Commerce Security
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Chapter 10: Electronic Commerce Security
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Implementing Security for Electronic Commerce
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Implementing Security for Electronic Commerce
Business Data Communications, Fourth Edition Chapter 10: Network Security.
Chapter 10: Electronic Commerce Security. Electronic Commerce, Seventh Annual Edition2 Impact of Security on E-Commerce In 2006 an estimated $913 million.
Chapter 10: Electronic Commerce Security
Security Threats to Electronic Commerce
E-Commerce: The Second Wave Fifth Annual Edition
 2001 Prentice Hall, Inc. All rights reserved. Chapter 7 – Computer and Network Security Outline 7.1Introduction 7.2Ancient Ciphers to Modern Cryptosystems.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
Securing Information Systems
Copyright © 2007 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
The Internet 8th Edition Tutorial 7 Security on the Internet and the Web.
Chapter 5 Security Threats to Electronic Commerce
Web Server Administration Chapter 10 Securing the Web Environment.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
BUSINESS B1 Information Security.
Networks and Security Monday, 10 th Week. Types of Attacks/Security Issues  Viruses  Worms  Macro Virus  Virus  Trojan Horse  Phishing 
1 E-Commerce Security Part I – Threats. 2 Objectives Threats to –intellectual property rights –client computers –communication channels between computers.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
1 E-Commerce Security Part II – Security Techniques.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Types of Electronic Infection
Course code: ABI 204 Introduction to E-Commerce Chapter 5: Security Threats to Electronic Commerce AMA University 1.
Chapter 7: E-Commerce Security and Payment system
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Oz – Foundations of Electronic Commerce © 2002 Prentice Hall Security and Privacy Issues.
Prepared by Natalie Rose1 Managing Information Resources, Control and Security Lecture 9.
Information Security in Distributed Systems Distributed Systems1.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
Chap1: Is there a Security Problem in Computing?.
1 Java Applets Java: platform-independent programming language – Provides Web page active content – Server sends applets with client-requested pages –
Electronic commerce Threats
Chapter 10: Electronic Commerce Security Electronic Commerce, Sixth Edition.
Part V Electronic Commerce Security Online Security Issues Overview Managing Risk Computer Security Classifications. Security.
9 1 ADVANCED WEB TOPICS Browser Extensions and Internet Security New Perspectives on THE INTERNET.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
UNIT-4 Computer Security Classification 2 Online Security Issues Overview Computer security – The protection of assets from unauthorized access, use,
Chapter 10: Electronic Commerce Security
Security on the Internet and the Web
Chapter 40 Internet Security.
Implementing Security for Electronic Commerce
Chapter 17 Risks, Security and Disaster Recovery
Presentation transcript:

Chapter 10: Electronic Commerce Security Electronic Commerce, Seventh Annual Edition

Objectives In this chapter, you will learn about: Online security issues Security for client computers Security for the communication channels between computers Security for server computers Organizations that promote computer, network, and Internet security Electronic Commerce, Seventh Annual Edition

Online Security Issues Overview Computer security The protection of assets from unauthorized access, use, alteration, or destruction Physical security Includes tangible protection devices Logical security Protection of assets using nonphysical means Threat Any act or object that poses a danger to computer assets Electronic Commerce, Seventh Annual Edition

Managing Risk Countermeasure Eavesdropper Crackers or hackers General name for a procedure that recognizes, reduces, or eliminates a threat Eavesdropper Person or device that can listen in on and copy Internet transmissions Crackers or hackers Write programs or manipulate technologies to obtain unauthorized access to computers and networks Electronic Commerce, Seventh Annual Edition

Electronic Commerce, Seventh Annual Edition

Computer Security Classifications Secrecy Protecting against unauthorized data disclosure and ensuring the authenticity of a data source Integrity Refers to preventing unauthorized data modification Necessity Refers to preventing data delays or denials Electronic Commerce, Seventh Annual Edition

Security Policy and Integrated Security A security policy is a written statement describing: Which assets to protect and why they are being protected Who is responsible for that protection Which behaviors are acceptable and which are not First step in creating a security policy Determine which assets to protect from which threats Electronic Commerce, Seventh Annual Edition

Electronic Commerce, Seventh Annual Edition

Security Policy and Integrated Security (continued) Elements of a security policy address: Authentication Access control Secrecy Data integrity Audits Electronic Commerce, Seventh Annual Edition

Security for Client Computers Stateless connection Each transmission of information is independent Session cookies Exist until the Web client ends connection Persistent cookies Remain on a client computer indefinitely Electronic Commerce, Seventh Annual Edition

Security for Client Computers (continued) First-party cookies Cookies placed on a client computer by a Web server site Third-party cookies Originates on a Web site other than the site being visited Web bug Tiny graphic that a third-party Web site places on another site’s Web page Electronic Commerce, Seventh Annual Edition

Electronic Commerce, Seventh Annual Edition

Active Content Active content refers to programs embedded transparently in Web pages that cause an action to occur Scripting languages Provide scripts, or commands, that are executed Applet Small application program Electronic Commerce, Seventh Annual Edition

Electronic Commerce, Seventh Annual Edition

Active Content (continued) Trojan horse Program hidden inside another program or Web page that masks its true purpose Zombie Program that secretly takes over another computer to launch attacks on other computers Attacks can be very difficult to trace to their creators Electronic Commerce, Seventh Annual Edition

Java Applets Java Java sandbox Untrusted Java applets Programming language developed by Sun Microsystems Java sandbox Confines Java applet actions to a set of rules defined by the security model Untrusted Java applets Applets not established as secure Electronic Commerce, Seventh Annual Edition

JavaScript Scripting language developed by Netscape to enable Web page designers to build active content Can be used for attacks by: Executing code that destroys a client’s hard disk Discloses e-mail stored in client mailboxes Sends sensitive information to an attacker’s Web server Electronic Commerce, Seventh Annual Edition

ActiveX Controls An ActiveX control is an object containing programs and properties that Web designers place on Web pages ActiveX components can be constructed using different languages programs but the most common are C++ and Visual Basic The actions of ActiveX controls cannot be halted once they begin execution Electronic Commerce, Seventh Annual Edition

Electronic Commerce, Seventh Annual Edition

Viruses, Worms, and Antivirus Software Software that attaches itself to another program Can cause damage when the host program is activated Macro virus Type of virus coded as a small program (macro) and is embedded in a file Antivirus software Detects viruses and worms Electronic Commerce, Seventh Annual Edition

Digital Certificates A digital certificate is a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be A certificate is signed code or messages that provide proof that the holder is the person identified by the certificate Certification authority (CA) issues digital certificates Electronic Commerce, Seventh Annual Edition

Electronic Commerce, Seventh Annual Edition

Digital Certificates (continued) Main elements: Certificate owner’s identifying information Certificate owner’s public key Dates between which the certificate is valid Serial number of the certificate Name of the certificate issuer Digital signature of the certificate issuer Electronic Commerce, Seventh Annual Edition

Steganography Describes the process of hiding information within another piece of information Provides a way of hiding an encrypted file within another file Messages hidden using steganography are difficult to detect Electronic Commerce, Seventh Annual Edition

Communication Channel Security Secrecy is the prevention of unauthorized information disclosure Privacy is the protection of individual rights to nondisclosure Sniffer programs Provide the means to record information passing through a computer or router that is handling Internet traffic Electronic Commerce, Seventh Annual Edition

Integrity Threats Integrity threats exist when an unauthorized party can alter a message stream of information Cybervandalism Electronic defacing of an existing Web site’s page Masquerading or spoofing Pretending to be someone you are not Domain name servers (DNSs) Computers on the Internet that maintain directories that link domain names to IP addresses Electronic Commerce, Seventh Annual Edition

Necessity Threats Purpose is to disrupt or deny normal computer processing DoS attacks Remove information altogether Delete information from a transmission or file Electronic Commerce, Seventh Annual Edition

Threats to Wireless Networks Wardrivers Attackers drive around using their wireless- equipped laptop computers to search for accessible networks Warchalking When wardrivers find an open network they sometimes place a chalk mark on the building Electronic Commerce, Seventh Annual Edition

Encryption Solutions Encryption Cryptography Using a mathematically based program and a secret key to produce a string of characters that is unintelligible Cryptography Science that studies encryption Electronic Commerce, Seventh Annual Edition

Encryption Algorithms An encryption algorithm is the logic behind encryption programs Encryption program Program that transforms normal text into cipher text Hash coding Process that uses a hash algorithm to calculate a number from a message of any length Electronic Commerce, Seventh Annual Edition

Asymmetric Encryption Asymmetric encryption encodes messages by using two mathematically related numeric keys Public key Freely distributed to the public at large Private key Belongs to the key owner, who keeps the key secret Electronic Commerce, Seventh Annual Edition

Asymmetric Encryption (continued) Pretty Good Privacy (PGP) One of the most popular technologies used to implement public-key encryption Set of software tools that can use several different encryption algorithms to perform public-key encryption Can be used to encrypt e-mail messages Electronic Commerce, Seventh Annual Edition

Symmetric Encryption Symmetric encryption encodes a message with one of several available algorithms that use a single numeric key Data Encryption Standard (DES) Set of encryption algorithms adopted by the U.S. government for encrypting sensitive information Triple Data Encryption Standard Offers good protection Cannot be cracked even with today’s supercomputers Electronic Commerce, Seventh Annual Edition

Comparing Asymmetric and Symmetric Encryption Systems Public-key (asymmetric) systems Provide several advantages over private-key (symmetric) encryption methods Secure Sockets Layer (SSL) Provides secure information transfer through the Internet Secures connections between two computers S-HTTP Sends individual messages securely Electronic Commerce, Seventh Annual Edition

Electronic Commerce, Seventh Annual Edition

Ensuring Transaction Integrity with Hash Functions Integrity violation Occurs whenever a message is altered while in transit between the sender and receiver Hash algorithms are one-way functions There is no way to transform the hash value back to the original message Message digest Small integer number that summarizes the encrypted information Electronic Commerce, Seventh Annual Edition

Ensuring Transaction Integrity with Digital Signatures Hash algorithms are not a complete solution Anyone could: Intercept a purchase order Alter the shipping address and quantity ordered Re-create the message digest Send the message and new message digest on to the merchant Digital signature An encrypted message digest Electronic Commerce, Seventh Annual Edition

Electronic Commerce, Seventh Annual Edition

Security for Server Computers Web server Can compromise secrecy if it allows automatic directory listings Can compromise security by requiring users to enter a username and password Dictionary attack programs Cycle through an electronic dictionary, trying every word in the book as a password Electronic Commerce, Seventh Annual Edition

Other Programming Threats Buffer An area of memory set aside to hold data read from a file or database Buffer overrun Occurs because the program contains an error or bug that causes the overflow Mail bomb Occurs when hundreds or even thousands of people each send a message to a particular address Electronic Commerce, Seventh Annual Edition

Firewalls Software or hardware and software combination installed on a network to control packet traffic Provides a defense between the network to be protected and the Internet, or other network that could pose a threat Electronic Commerce, Seventh Annual Edition

Firewalls (continued) Characteristics All traffic from inside to outside and from outside to inside the network must pass through the firewall Only authorized traffic is allowed to pass Firewall itself is immune to penetration Trusted networks are inside the firewall Untrusted networks are outside the firewall Electronic Commerce, Seventh Annual Edition

Firewalls (continued) Packet-filter firewalls Examine data flowing back and forth between a trusted network and the Internet Gateway servers Firewalls that filter traffic based on the application requested Proxy server firewalls Firewalls that communicate with the Internet on the private network’s behalf Electronic Commerce, Seventh Annual Edition

Organizations that Promote Computer Security CERT Responds to thousands of security incidents each year Helps Internet users and companies become more knowledgeable about security risks Posts alerts to inform the Internet community about security events Electronic Commerce, Seventh Annual Edition

Other Organizations SANS Institute SANS Internet Storm Center A cooperative research and educational organization SANS Internet Storm Center Web site that provides current information on the location and intensity of computer attacks Microsoft Security Research Group Privately sponsored site that offers free information about computer security issues Electronic Commerce, Seventh Annual Edition

Computer Forensics and Ethical Hacking Computer forensics experts Hired to probe PCs and locate information that can be used in legal proceedings Computer forensics The collection, preservation, and analysis of computer-related evidence Electronic Commerce, Seventh Annual Edition

Summary Assets that companies must protect include: Client computers Computer communication channels Web servers Communication channels, in general, and the Internet, in particular, are especially vulnerable to attacks Encryption Provides secrecy Electronic Commerce, Seventh Annual Edition

Summary (continued) Web servers are susceptible to security threats Programs that run on servers might: Damage databases Abnormally terminate server software Make subtle changes in proprietary information Security organizations include CERT and SANS Electronic Commerce, Seventh Annual Edition