ITEC5611S. Kungpisdan 1 Course Outline Revisited 1.Overview of Electronic Commerce 2.E-Marketplace 3.Retailing in Electronic Commerce 4.Consumer Behavior,

Slides:



Advertisements
Similar presentations
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall
Advertisements

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Security Controls and Systems in E-Commerce
Chapter 11 E-Commerce Security.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Chapter 11 E-Commerce Security
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Chapter 11 E-Commerce Security. Electronic CommercePrentice Hall © Learning Objectives 1.Document the trends in computer and network security attacks.
EMTM 553 Electronic Commerce Systems
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
 2001 Prentice Hall, Inc. All rights reserved. Chapter 7 – Computer and Network Security Outline 7.1Introduction 7.2Ancient Ciphers to Modern Cryptosystems.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 10 E-Commerce Security.
Intranet, Extranet, Firewall. Intranet and Extranet.
Kittiphan Techakittiroj (04/09/58 19:56 น. 04/09/58 19:56 น. 04/09/58 19:56 น.) Network Security (the Internet Security) Kittiphan Techakittiroj
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
BUSINESS B1 Information Security.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
E-Commerce Security.
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Chapter 18: Doing Business on the Internet Business Data Communications, 4e.
Types of Electronic Infection
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
E-commerce 24/12/ Electronic Commerce (E-Commerce) Commerce refers to all the activities the purchase and sales of goods or services. Marketing,
ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST
Security is often cited as a major barrier to electronic commerce. Prospective buyers are leery of sending credit card information over the web. Prospective.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
WEB SERVER SOFTWARE FEATURE SETS
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
E-COMMERCE SECURITY ELECTRONIC COMMERCE. E-Commerce Security Successful e-tailing requires addressing online security and privacy fears of your online.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Chapter 8 E-Commerce Security. Objectives Understand the basic elements of EC security. Explain the basic types of network security attacks.
TOPIC: Applications of Web Technologies in Distributed Systems
Presentation transcript:

ITEC5611S. Kungpisdan 1 Course Outline Revisited 1.Overview of Electronic Commerce 2.E-Marketplace 3.Retailing in Electronic Commerce 4.Consumer Behavior, Market Research, and Advertisement 5.Business-to-Business E-Commerce 6.Public B2B Exchanges and Support Services 7.E-Supply Chains, Collaborative Commerce, Intrabusiness EC, and Corporate Portals 8.Project1 Presentation#1 (29/7/07) 9.Project1 Presentation#2 (5/8/07) 10.EC Architectural Framework & EC Security (19/8/07) 11.Electronic Payment Systems (19/8/07) 12.Search Engines, Directory Services and Internet Advertising (26/8/07) 13.Mobile Commerce and Pervasive Computing (2/9/07) 14.Building EC Applications and Infrastructure (9/9/07) 15.Project Presentation#1 (16/9/07)

Chapter 11 EC Architectural Framework and EC Security

ITEC5611S. Kungpisdan 3 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Securing EC Communications –Securing EC Networks –Securing Web Servers

ITEC5611S. Kungpisdan 4 E-commerce Applications Catalog based retail, Marketing & Advert., Banking& Investments, Supply Chain Management, Auctions, Home shopping, procurements E-commerce Applications Catalog based retail, Marketing & Advert., Banking& Investments, Supply Chain Management, Auctions, Home shopping, procurements EC Framework

ITEC5611S. Kungpisdan 5 Network Infrastructure The Internet Superhighway is responsible for seamless, reliable transportation on Information among host devices. Local Area Networks, IEEE Standards and Ethernet Wide Area Networks The Seamless Interface is offered through –Internet and TCP/IP Model –IP Addressing and Domain Naming System –Internet Industry Structure

ITEC5611S. Kungpisdan 6 Information Distribution Technologies Standard Protocols for Information Distribution on Internet File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Hyper Text Transfer Protocol (HTTP) Web Server Implementations –Apache Web Server –Microsoft’s IIS

ITEC5611S. Kungpisdan 7 Multimedia Publishing Technologies Information Publishing and Web Browsers –Hyper Text Markup Language (HTML) –Forms and Common Gateway Interface –Active Server Pages (ASP), Cold Fusion Markup Language –Dynamic HTML –HTML Editors –XML Multimedia Content –Graphics and Image Formats –Web Image Formats –Other Multimedia objects VRML

ITEC5611S. Kungpisdan 8 Security and Encryptions Importance of security for Electronic Commerce and Inherent vulnerability of Internet Protecting the Web (HTTP) Service The Issues in Transaction Security –Cryptography and Cryptanalysis –Symmetric key cryptographic Algorithms –Public Key Algorithms –Authentication protocols –Integrity and Non-repudiation Digital Certificates and Signatures Electronic Mail Security –PGP, S/MIME Security protocols for Web Commerce –SSL, TLS

ITEC5611S. Kungpisdan 9 Payment Services Payment Systems Characteristics of Online Payment Systems –Pre-Paid Electronic Payment Systems –Instant-paid Electronic Payment Systems –Post-Paid Electronic Payment Systems Some Electronic Payment Systems –Secure Electronic Transaction (SET) for Credit Cards –Ecash –NetCheque

ITEC5611S. Kungpisdan 10 Business Service Infrastructure Searching and Locating Information on Web Space Information Directories –Purpose –Organization –Information Location in Information Directories Search Engines –Purpose –Organization –Location of Information using Search Engines Improving the search results Internet Advertising –Importance –Models

ITEC5611S. Kungpisdan 11 Public Policy and Legal Infrastructure Universal Access to Network Infrastructure Model Law for Electronic Commerce Taxation Issues in Electronic Commerce Need for Public Key Infrastructure (PKI) Digital Certificates and Digital Signatures

ITEC5611S. Kungpisdan 12 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Securing EC Communications –Securing EC Networks –Securing Web Servers

ITEC5611S. Kungpisdan 13 Basic Security Issues What kinds of security questions arise? –From the user’s perspective: Is Web server owned and operated by a legitimate company? Does Web page and form contain any malicious or dangerous code or content? Will the owner of the Web site will not distribute the information the user provides to some other party?

ITEC5611S. Kungpisdan 14 Basic Security Issues What kinds of security questions arise? –From the company’s perspective: How does the company know the user will not attempt to break into the Web server or alter the pages and content at the site? How does the company know that the user will not try to disrupt the server so that it is not available to others?

ITEC5611S. Kungpisdan 15 Basic Security Issues What kinds of security questions arise? –From both parties’ perspectives: How do both parties know that the network connection is free from eavesdropping by a third party “listening” on the line? How do they know that the information sent back- and-forth between the server and the user’s browser has not been altered?

ITEC5611S. Kungpisdan 16 Basic Security Issues Authentication Authorization Auditing Confidentiality (Privacy) Integrity Availability Non-repudiation

ITEC5611S. Kungpisdan 17 Exhibit 11.1 General Security Issues at EC Sites

ITEC5611S. Kungpisdan 18 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Types of Threats and Attacks –Securing EC Communications –Securing EC Networks –Securing Web Servers

ITEC5611S. Kungpisdan 19 Threats and Vulnerabilities

ITEC5611S. Kungpisdan 20 Security Incidences Probe –A probe is characterized by unusual attempts to gain access to a system or to discover information about the system. –Sometimes followed by a more serious security event, but they are often the result of curiosity or confusion. Scan –A large number of probes done using an automated tool. –Often a prelude to a more directed attack on systems whose security can be breached. Account Compromise –Unauthorized use of a computer account by someone other than the account owner, without involving system-level or root-level privileges. It might expose the victim to serious data loss, data theft, or theft of services. –The lack of root-level access means that the damage can usually be contained, but a user-level account opens up avenues for greater access to the system.

ITEC5611S. Kungpisdan 21 Security Incidences (cont’d) Root Compromise –Similar to an account compromise, except that the account that has been compromised has special privileges on the system. Packet Sniffer –A program that captures data from information packets as they travel over the network.

ITEC5611S. Kungpisdan 22 Security Incidences (cont’d) denial-of-service (DoS) attack An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources distributed denial-of-service (DDoS) attack A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses the multiple computers to send a flood of data packets to the target computer

ITEC5611S. Kungpisdan 23 Exhibit 11.2 Using Zombies in a Distributed Denial-of-Service Attack

ITEC5611S. Kungpisdan 24 Security Incidences (cont’d) Exploitation of Trust –Computers on the networks enjoy trust relationships with one another. –If attackers can forge their identity, they may be able to gain unauthorized access to other computers. Malicious Code –A generic term for programs that cause undesired results on a system when executed. Such programs are generally discovered after the damage is done. Malicious code includes Trojan horses, viruses, and worms. Internet Infrastructure Attacks –These attacks involve key components of the Internet infrastructure rather than specific systems on the Internet. The attacks are rare but have serious implications on a large portion of Internet.

ITEC5611S. Kungpisdan 25 Security Incidences (cont’d) Social Engineering social engineering A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access Two types of social engineering: human-based and computer-based –A multiprong approach should be used to combat social engineering Education and training Policies and procedures Penetration testing

ITEC5611S. Kungpisdan 26 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Securing EC Communications –Securing EC Networks –Securing Web Servers

ITEC5611S. Kungpisdan 27 Securing EC Communications access control Mechanism that determines who can legitimately use a network resource Something you know: password Something you have: smartcard, tokens Something you are: biometrics passive tokens Storage devices (e.g., magnetic strips) that contain a secret code used in a two-factor authentication system active tokens Small, stand-alone electronic devices that generate one-time passwords used in a two-factor authentication system

ITEC5611S. Kungpisdan 28 Securing EC Communications biometric systems Authentication systems that identify a person by measurement of a biological characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice physiological biometrics Measurements derived directly from different parts of the body (e.g., fingerprint, iris, hand, facial characteristics) behavioral biometrics Measurements derived from various actions and indirectly from various body parts (e.g., voice scans or keystroke monitoring)

ITEC5611S. Kungpisdan 29 Securing EC Communications fingerprint scanning Measurement of the discontinuities of a person’s fingerprint, which are then converted to a set of numbers that are stored as a template and used to authenticate identity iris scanning Measurement of the unique spots in the iris (colored part of the eye), which are then converted to a set of numbers that are stored as a template and used to authenticate identity

ITEC5611S. Kungpisdan 30 Securing EC Communications encryption The process of scrambling (encrypting) a message (plaintext) into ciphertext in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it plaintext + encryption algorithm + key  ciphertext

ITEC5611S. Kungpisdan 31

ITEC5611S. Kungpisdan 32 Securing EC Communications symmetric (private) key system An encryption system that uses the same key to encrypt and decrypt the message Data Encryption Standard (DES) The standard symmetric encryption algorithm supported the NIST and used by U.S. government agencies until October 2, 2000 Rijndael The new Advanced Encryption Standard used to secure U.S. government Communications since October 2, 2000

ITEC5611S. Kungpisdan 33 Exhibit 11.4 Symmetric (Private) Key Encryption

ITEC5611S. Kungpisdan 34 Securing EC Communications Public (Asymmetric) Key Encryption public key encryption Method of encryption that uses a pair of matched keys—a public key to encrypt a message and a private key to decrypt it, or vice versa public key Encryption code that is publicly available to anyone

ITEC5611S. Kungpisdan 35 Securing EC Communications Digital Signatures digital signature An identifying code that can be used to authenticate the identity of the sender of a document hash A mathematical computation that is applied to a message, using a private key, to encrypt the message

ITEC5611S. Kungpisdan 36 Securing EC Communications Digital Signatures message digest A summary of a message, converted into a string of digits, after the hash has been applied digital envelope The combination of the encrypted original message and the digital signature, using the recipient’s public key

ITEC5611S. Kungpisdan 37 Exhibit 11.5 Digital Signatures

ITEC5611S. Kungpisdan 38 Securing EC Communications public key infrastructure (PKI) A scheme for securing e-payments using public key encryption and various technical components digital certificate Verification that the holder of a public or private key is who he or she claims to be certificate authorities (CAs) Third parties that issue digital certificates

ITEC5611S. Kungpisdan 39 Securing EC Communications Secure Socket Layer (SSL) Protocol that utilizes standard certificates for authentication and data encryption to ensure privacy or confidentiality Transport Layer Security (TLS) As of 1996, another name for the SSL protocol

ITEC5611S. Kungpisdan 40 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Securing EC Communications –Securing EC Networks –Securing Web Servers

ITEC5611S. Kungpisdan 41 Securing EC Networks The selection and operation of these technologies should be based on certain design concepts, including: –Layered security –Controlling access –Role-specific security –Monitoring –Keep systems patched –Response team

ITEC5611S. Kungpisdan 42 Exhibit 11.6 Layered Security

ITEC5611S. Kungpisdan 43 Security at Each Layer

ITEC5611S. Kungpisdan 44 Securing EC Networks firewall A network node consisting of both hardware and software that isolates a private network from a public network packet-filtering routers Firewalls that filter data and requests moving from the public Internet to a private network based on the network addresses of the computer sending or receiving the request

ITEC5611S. Kungpisdan 45 Securing EC Networks packets Segments of data and requests sent from one computer to another on the Internet; consist of the Internet addresses of the computers sending and receiving the data, plus other identifying information that distinguish one packet from another packet filters Rules that can accept or reject incoming packets based on source and destination addresses and the other identifying information

ITEC5611S. Kungpisdan 46 Securing EC Networks application-level proxy A firewall that permits requests for Web pages to move from the public Internet to the private network bastion gateway A special hardware server that utilizes application-level proxy software to limit the types of requests that can be passed to an organization’s internal networks from the public Internet proxies Special software programs that run on the gateway server and pass repackaged packets from one network to the other

ITEC5611S. Kungpisdan 47 Exhibit 11.7 Application Level Proxy (Bastion Gateway Host)

ITEC5611S. Kungpisdan 48 Securing EC Networks demilitarized zone (DMZ) Network area that sits between an organization’s internal network and an external network (Internet), providing physical isolation between the two networks that is controlled by rules enforced by a firewall. personal firewall A network node designed to protect an individual user’s desktop system from the public network by monitoring all the traffic that passes through the computer’s network interface card.

ITEC5611S. Kungpisdan 49 Exhibit 11.8 Demilitarized Zone (DMZ)

ITEC5611S. Kungpisdan 50 Securing EC Networks virtual private network (VPN) A network that uses the public Internet to carry information but remains private by using encryption to scramble the communications, authentication to ensure that information has not been tampered with, and access control to verify the identity of anyone using the network

ITEC5611S. Kungpisdan 51 Securing EC Networks intrusion detection systems (IDSs) A special category of software that can monitor activity across a network or on a host computer, watch for suspicious activity, and take automated action based on what it sees honeypots Production systems (e.g., firewalls, routers, Web servers, database servers) designed to do real work but that are watched and studied as network intrusions occur

ITEC5611S. Kungpisdan 52 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Securing EC Communications –Securing EC Networks –Securing Web Servers

ITEC5611S. Kungpisdan 53 HTTP Server (aka Web Server) -- If the site is well secured, only interaction will happen through this service counter HTTP Servers bind to a privileged port (80), thus run as a root. This provides them unlimited access to the host system. Run in chrooted environment –%chroot /www /etc/httpd/bin/httpd will set the root file system of httpd as /www only files under the /www can be accessed by the webserver –User can not serve files from Home directories Web Server Security

ITEC5611S. Kungpisdan 54 Web Server Security Each HTTP Server has 4 configuration files –Access.conf Access Control –httpd.confServer Configuration –mime.typesFile extension and meanings –srm.confOptions including directories and Users. Define in httpd.conf ServerRoot/var/httpd/ Define in srm.conf /var/httpdocs

ITEC5611S. Kungpisdan 55 Each HTTP Server has 4 configuration files –Access.conf Access Control –httpd.confServer Configuration –mime.typesFile extension and meanings –srm.confOptions including directories and Users. Define in httpd.conf ServerRoot/var/httpd/ Define in srm.conf /var/httpdocs Root Serverroot Documentroot Web Server Security

Questions? Next lecture: Electronic Payment Systems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.