MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Security

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Outline  What is Security  What is Electronic security  Objectives of security  Importance of security  Types of security  Security policy  Security Tips

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE What is Security?  That which secures;  protection;  a state of safety or safe keeping.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Electronic Security  The process of preventing and detecting unauthorized use of a computer based information system  Prevention measures to stop unauthorized users from accessing any part of the computer based information system

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Importance of Security  Privacy  Crime  Networks and their associated technologies have opened the door to an increasing number of security threats.  Important data can be lost, privacy can be violated and the computer can even be used by an outside attacker to attack other computers on the Internet.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE WHO MIGHT ATTACK?  Hackers In security circles, most of these people are known as "script kiddies."  Business rivals Competitors may try to obtain information illicitly through your virtual back doors.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE WHO MIGHT ATTACK?  Foreign intelligence Another area of concern is foreign espionage. France, Israel, and Russia are known to have active industrial espionage efforts underway against the United States.  Insiders they may be hackers for their own amusement, for example, or they may be working for rivals or foreign intelligence agencies.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Internet Access Corporate Intranet Internet Presence eCommerce Extranets Security Considerations Internet Business Value

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Objectives of Security  Confidentiality  Integrity  Availability

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Confidentiality  The process used to protect secret information from unauthorized disclosure.  Secret data needs to be protected when it is stored or when it is being transmitted over the network.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Integrity  Refers to the unauthorized changing of creation of values of data within the system.  Data Integrity detects whether the data has been modified during transmission. Such modification may be the result of an attack or a transmission error ( corruption).

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Integrity (cont.)  There are legal concerns regarding  Anonymity of source  Ease of reproduction  Detection of alteration  Unauthorised disclosure  attribution

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Availability  Caused by equipment malfunction, equipment destruction (natural disaster) or equipment loss (theft).  Example: Computer Virus ( causes the system to be unavailable for an extended period while the virus is removed and corrupted data is reprocessed).

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Types of Security  Technical Countermeasures  Non-Technical Countermeasures  Physical  Procedural

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE A Balanced Approach to Security Security Conscious People Policies & Procedure Network Controls Security Software Threats Resources

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Technical Countermeasures  Passwords  Encryption  Cryptography  Digital Signatures  Firewalls  Key locks  Smart cards  biometrics

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Passwords  computer system is password protected  Make passwords as meaningless as possible  No real words (forward or backwards)  Mixture of letters and numbers  Change passwords regularly  Never divulge passwords to anyone

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Encryption  Encryption technology ensures that messages cannot be intercepted or read by anyone other than the authorized recipient.  Encryption is usually deployed to protect data that is transported over a public network such as the Internet and uses advance mathematical algorithms to ‘scramble’ messages and their attachments.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Where is Encryption used:  ATM’s  EFTPOS  Internet transaction  Protects medical records, corporate trades secrets, air traffic control centres etc.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Cryptography  It is the practical art of converting messages or data into a different form, such that no-one can read them without having access to the 'key'.  The message may be converted using a 'code' (in which case each character or group of characters is substituted by an alternative one), or a 'cypher' or 'cipher' (in which case the message as a whole is converted, rather than individual characters).  Cryptanalysis is the science of 'breaking' or 'cracking' encryption schemes, i.e. discovering the decryption key.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Symmetric Cryptography The same key is used for encrypting and decrypting messages

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Public Key Cryptography Multiple people encrypt messages using the recipient’s well-known public key. The recipient decrypts it with her private key.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Public Key Cryptography (cont.)  A message encrypted with a Public Key can only be decrypted with the private Key  A message encrypted with the private key can only be decrypted with the public key

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Public Key Cryptography (cont.)  Key Distribution  Certification Authority (CA) acts as a trusted third party which distributes digital certificates.  The digital certificates which are publicly distributed contain a user’s public key as well as other information such as the user’s personal details and the expiry date of the key.  Registration Authoriy verifies a user’s identity at the time the user applies for a digital certificate. Often the CA and an RA are the same entities.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Public Key Distribution

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Digital Signatures  Block of text that is used to verify that a message really comes from the claimed sender.  Can also be used to verify the time document was sent.  can only be generated by the sender and is very difficult for anyone else to forge.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Digital Signature Process

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Digital Envelopes 1.Sender generates a random message key (K). Sender encrypts the message (M) with K, creating the cipher text message (CM). 2.Sender encrypts K with recipient’s public key (RPubK), generating cipher text CK. 3.Sender computes a digital signature (S) using her private signature (SPrivK) 4.Sender sends CK, CM and S to recipient. 5.Recipient uses his private key (RPrivK) to decrypt CK and obtain K. 6.Recipient uses K to decrypt CM and get M. 7.Recipient uses sender’s public key (SPubK) to validate S.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE

Firewalls  A firewall is a device that is placed between your system and the internet. It can monitor and filter any incoming and outgoing traffic.  Offers a single point at which security can be monitored and alarms generated.  Encryption can be used as a safeguard.  There should be a security policy in place.  An important point need to keep in mind that firewalls are not always impenetrable.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Physical Countermeasures  Is defined as the protection of its resources against threats of damage, theft and natural disasters.  Involves a layered approach

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Computer Security Building Security End User Security Hacker Attacks Physical Intrusion Unauthenticated Access Environmental Disruption

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Building Security  Guard  Alarm system  Surveillance system  Perimeter security ( adequate lighting, security fences)  Warning signs  Centralized control (response to an attack as quickly as possible)

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Procedural  Conditions of use (layout expectations)  Key locks  Supervision  Usage monitoring  Safe storage of data  Backup (make copies of data and softwares)  User authorisation  Intruder detection  Monitoring and control  Business Continuity Plans  Disaster Recovery Plans

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE  Disaster Recovery Plan  Approved set of arrangements and procedures that enable an organisation to respond to a disaster and resume its critical business functions within a defined time frame  Business Continuity Plan  Process of developing advanced arrangements and procedures that enable an organisation to respond to an event in such a manner that critical business functions continue without interruption or essential change

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Natural Disasters  Causes extensive damage such as:  Loss of power, communication lines and processing; buildings set on fire; building collapsing.  To overcomes the damages organizations should:  Secure external communication links; Install lighting protection; create firebreaks around buildings; insure appropriate building construction.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE IT Security Policy  Example

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Assess the Situation Fix High Risk Vulnerabilities Secure the Perimeter Secure the Interior Deploy Monitors Test\Attack High Risks How to secure an environment

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Security Tips  Use protection software "anti-virus software" and keep it up to date.  Don't open from unknown sources.  Use hard-to-guess passwords.  Protect your computer from Internet intruders -- use "firewalls".  Don't share access to your computers with strangers. Learn about file sharing risks.  Back up your computer data.