1 E-Commerce Security Part I – Threats. 2 Objectives Threats to –intellectual property rights –client computers –communication channels between computers.

Slides:



Advertisements
Similar presentations
Threats and Protection Mechanisms
Advertisements

Let’s Talk About Cyber Security
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
1 Chapter 5 Security Threats to Electronic Commerce.
Security Threats to Electronic Commerce
Security Threats to Electronic Commerce
Chapter 5 Security Threats to Electronic Commerce
Lecturer: Fadwa Tlaelan
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Unit 18 Data Security 1.
Electronic Commerce Security Presented by: Chris Brawley Chris Avery.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Security, Privacy, and Ethics Online Computer Crimes.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Electronic Commerce COMP3210 Dr. Paul Walcott 08/11/04 The Department of Computer Science Mathematics and Physics, University of the West Indies, Cave.
Informationsteknologi Thursday, October 11, 2007Computer Systems/Operating Systems - Class 161 Today’s class Security.
CSA 223 network and web security Chapter one
Chapter 10: Electronic Commerce Security
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 Hossein BIDGOLI Phishing that bites Paying for Privacy Pirates.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Chapter 10: Electronic Commerce Security
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Security Threats to Electronic Commerce
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Threats and Attacks Principles of Information Security, 2nd Edition
E-Commerce: The Second Wave Fifth Annual Edition
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 LO1 Describe information technologies that could be used in computer.
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
PART THREE E-commerce in Action Norton University E-commerce in Action.
The Internet 8th Edition Tutorial 7 Security on the Internet and the Web.
Chapter 5 Security Threats to Electronic Commerce
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
BUSINESS B1 Information Security.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
1 Final Review 2 E-Commerce Security Part I – Threats.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
CHAPTER 7: PRIVACY, CRIME, AND SECURITY. Privacy in Cyberspace  Privacy: an individual’s ability to restrict or eliminate the collection, use and sale.
Computer Crimes 8 8 Chapter. The act of using a computer to commit an illegal act Authorized and unauthorized computer access. Examples- o Stealing time.
Course code: ABI 204 Introduction to E-Commerce Chapter 5: Security Threats to Electronic Commerce AMA University 1.
Chapter 7: E-Commerce Security and Payment system
1 MSCS 237 Overview of web technologies (A specific type of distributed systems)
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Topic 5: Basic Security.
Chap1: Is there a Security Problem in Computing?.
Malicious Software.
Chapter 10: Electronic Commerce Security Electronic Commerce, Sixth Edition.
Part V Electronic Commerce Security Online Security Issues Overview Managing Risk Computer Security Classifications. Security.
9 1 ADVANCED WEB TOPICS Browser Extensions and Internet Security New Perspectives on THE INTERNET.
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Computer threats, Attacks and Assets upasana pandit T.E comp.
1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.
Any criminal action perpetrated primarily through the use of a computer.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
UNIT-4 Computer Security Classification 2 Online Security Issues Overview Computer security – The protection of assets from unauthorized access, use,
Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.
CIW Lesson 8 Part B. Malicious Software application that installs hidden services on systems term for software whose specific intent is to harm computer.
The Need for Information Security(2) Lecture 3. Slide 2 Information Extortion  Information extortion is an attacker or formerly trusted insider stealing.
1. It means Defending information from unauthorized access, use, disclosure, modification, recording or destruction. Sli de 2.
Chapter 10: Electronic Commerce Security
IT Security  .
UNIT 18 Data Security 1.
Presentation transcript:

1 E-Commerce Security Part I – Threats

2 Objectives Threats to –intellectual property rights –client computers –communication channels between computers –server computers

3 Security Overview Computer security is the protection of assets from unauthorized access, use, alteration, or destruction. Two types of security: Physical security - includes tangible protection devices, such as alarms and guards. Logical security - p rotection of assets using nonphysical means.

4 Security Overview Any act or object that poses a danger to computer assets is known as a threat. Countermeasure is a procedure that recognizes, reduces, or eliminates a threat.

5 Security Overview An eavesdropper is a person or device that can listen in on and copy Internet transmissions. People who write programs or manipulate technologies to obtain unauthorized access to computers and networks are called crackers or hackers.

6 Privacy vs. Security Privacy – is the protection of individual rights to nondisclosure Security – provides protection from inadvertent information disclosure

7 Privacy Privacy Act of 1974 – information you provide to a government agency will not be disclosed to anyone outside of that agency. Cookie – is a small data file that some Web sites write to your hard drive when you view the Web site. This file can be retrieved to any server in the domain that creates this file.

8 Security Classification Three computer security categories: Secrecy Integrity Necessity

9 Computer Security Classification Secrecy refers to protecting against unauthorized data disclosure and ensuring the authenticity of the data’s source. Integrity refers to preventing unauthorized data modification. Necessity refers to preventing data delays or denials.

10 A security policy is a written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviors are acceptable and which are not. The first step an organization must take in creating a security policy is to determine what assets to protect and from whom. Security Policy

11 Security Policy Specific elements of a security policy address the following points: Authentication: Who is trying to access the electronic commerce site? Access control: Who is allowed to log on to and access the electronic commerce site? Secrecy: Who is permitted to view selected information? Data integrity: Who is allowed to change data, and who is not? Audit: Who or what causes selected events to occur and when?

12 Intellectual Property Threats Copyright is the protection of expression. Intellectual property is the ownership of ideas and control over the tangible or virtual representation of those ideas. U.S. Copyright Act of Copyright Clearance Center provides copyright information.

13 Domain Names Issues of intellectual property rights for Internet Domain Names: Cybersquatting Name changing Name stealing

14 Cybersquatting Cybersquatting is the practice of registering a domain name that is the trademark of another person or company in the hopes that the owner will pay huge amounts of money to acquire the URL. On November 29, 1999, the U.S. Anticybersquatting Consumer Protection Act was signed into law.

15 Name Changing Name changing occurs when someone registers purposely misspelled variations of well-known domain names. The practice of name changing is annoying to affected online businesses and confusing to their customers.

16 Name Stealing Name stealing occurs when someone changes the ownership of the domain name assigned to another site and owner. After domain name ownership is changed the name stealer can manipulate the site.

17 E-Commerce Threats There are three types of electronic commerce threats: Client computer threats Communication channel threats Server computer threats

18 Client Threats Web pages were mainly static - The widespread use of active content has changed the function of Web pages. Sources of client threats: Active content Java, Java Applets, JavaScript, VBScript ActiveX Controls Graphics, plug-ins, and attachments

19 Active Content Active content refers to programs that are embedded transparently in Web pages and that cause actions to occur. The best-known active content forms are Java applets, ActiveX controls, JavaScript, and VBScript. Active content also includes graphics and Web browser plug-ins.

20 Active Content Plug-ins are programs that interpret or execute instructions embedded in downloaded graphics, sounds, and other objects. Active content, including all forms, enables Web pages to take action. Active content gives life to static Web pages.

21 Active Content

22 Active Content A Trojan horse is a program hidden inside another program or Web page that masks its true purpose. A Zombie is a program that secretly takes over another computer for the purpose of launching attacks on other computers. Malicious ‘cookies’ can destroy files stored on client computers.

23 Applets/JavaScript/VBScript Java applet adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer. JavaScript/VBScript is a scripting language that enables Web page designers to build active content. JavaScript/VBScript can invoke privacy and integrity attacks by executing code that destroys your hard disk.

24 ActiveX Controls ActiveX is an object that contains programs and properties that Web designers place on Web pages to perform particular tasks. Because ActiveX controls have full access to your computer, they can cause secrecy, integrity, or necessity violations.

25 ActiveX Controls

26 Graphics, Plug-Ins, Attachments Graphics, browser plug-ins, and attachments can harbor executable content. The code embedded in the graphic could be a potential threat. attachments provide a convenient way to send non-text information over a text-only system.

27 Virus A virus is software that attaches itself to another program and can cause damage when the host program is activated. Worm viruses replicate themselves on other machines. A macro virus is coded as a small program and is embedded in a file. The term steganography describes information that is hidden within another piece of information.

28 Communication Channel Threats The Internet is not at all secure. Messages on the Internet travel a random path from a source node to a destination node. Internet channel security threats include: secrecy integrity necessity

29 Secrecy Threats Secrecy is the prevention of unauthorized information disclosure – it is a technical issue requiring sophisticated physical and logical mechanisms. Privacy is the protection of individual rights to nondisclosure - Privacy protection is a legal matter.

30 Secrecy Threats Web users are continually revealing information about themselves when they use the Web. Sniffer programs provide the means to tap into the Internet and record information that passes through a particular computer (router) from its source to its origin. The programs can read messages as well as E-commerce information.

31 Integrity Threats An integrity threat exists when an unauthorized party can alter a message stream of information. Cyber vandalism is an example of an integrity violation. Masquerading or spoofing is one means of creating havoc on Web sites.

32 Necessity Threats The purpose of a necessity threat is to disrupt normal computer processing or to deny processing entirely. Necessity threats are also known as delay, denial, or denial-of-service (DOS) threats.

33 Web Server Threats Servers have vulnerabilities that can be exploited to cause destruction or to acquire information illegally. Server threats include: Web server threats database threats common gateway interface threats other programming threats

34 Web Server Threats Setting up a Web server to run in high- privilege status can lead to a Web server threat. The secrecy violation occurs when the contents of a server’s folder names are revealed to a Web browser.

35 Database Threats Databases connected to the Web contain information that could damage a company if it were disclosed or altered. Anyone who obtains user authentication information can masquerade as a legitimate user.

36 Common Gateway Interface Threats Because CGIs are programs, they present a security threat if misused. CGI scripts can be set up to run with high privileges, which can cause a threat. CGI programs or scripts can reside just about anywhere on the Web server, which makes them hard to track down and manage.

37 Other Programming Threats Another serious Web server attack can come from programs executed by the server. A mail bomb occurs when thousands of people send a message to a particular address.

38 Threats to the Physical Security of Servers Web servers are key physical resources and therefore the computers and related equipment must be physically protected by businesses. Many companies maintain backup copies of server content at a remote location, e.g. airline reservations systems, stock brokerage firm trading systems, and bank account clearing systems.