Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-COMMERCE SECURITY ELECTRONIC COMMERCE. E-Commerce Security Successful e-tailing requires addressing online security and privacy fears of your online.

Published byPhyllis Gordon Modified over 8 years ago

Similar presentations

Presentation on theme: "E-COMMERCE SECURITY ELECTRONIC COMMERCE. E-Commerce Security Successful e-tailing requires addressing online security and privacy fears of your online."— Presentation transcript:

1 E-COMMERCE SECURITY ELECTRONIC COMMERCE

2 E-Commerce Security Successful e-tailing requires addressing online security and privacy fears of your online customers 2

3 The Continuing Need for E- Commerce Security According to the 2014 CyberSecurity Watch Survey; Organizations have experienced significantly more attacks than in previous years. Only 56% of the participants have a plan for reporting and responding to a cybercrime. Insider incidents are more costly than external breaches, according to 67% of respondents 3

4 The Need for E-Commerce Security (cont…) Survey results (cont…); Almost three-quarters (72%), on average, of the insider incidents are handled internally without legal action. 4

5 The Need for E-Commerce Security (cont…) 5 Table. Factors Discouraging Consumer for Online Payment

6 Basic Security Issues What kinds of security questions arise? –From the user’s perspective: How can the user be sure that the Web server is owned and operated by a legitimate company? How does the user know that the Web page and form do not contain some malicious or dangerous code or content? How does the user know that the owner of the Web site will not distribute the information the user provides to some other party? 6

7 Basic Security Issues (cont…) What kinds of security questions arise? –From the company’s perspective: How does the company know the user will not attempt to break into the Web server or alter the pages and content at the site? How does the company know that the user will not try to disrupt the server so that it is not available to others? 7

8 Basic Security Issues (cont…) What kinds of security questions arise? –From both parties’ perspectives: How do both parties know that the network connection is free from eavesdropping by a third party “listening” on the line? How do they know that the information sent back-and- forth between the server and the user’s browser has not been altered? 8

9 Top Security Threats 9

10 Basic Security Issues (cont…) authentication The process by which one entity verifies that another entity is who he, she, or it claims to be authorization The process that ensures that a person has the right to access certain resources 10

11 Basic Security Issues (cont…) auditing The process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions confidentiality (privacy) Information that is private or sensitive should not be disclosed to unauthorized individuals, entities, or computer software processes 11

12 Basic Security Issues (cont…) integrity The ability to protect data from being altered or destroyed in an unauthorized or accidental manner is called integrity nonrepudiation The ability to limit parties from refuting that a legitimate transaction took place 12

13 Figure. General Security Issues at EC Sites 13

14 Types of Threats and Attacks There are two types: - Nontechnical attack - Technical attacak 14

15 Types of Threats and Attacks (c…) nontechnical attack An attack that uses chicanery to trick people into revealing sensitive information or performing actions that compromise the security of a network 15

16 Types of Threats and Attacks (cont…) Nontechnical Attacks: Social Engineering social engineering A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access 16

17 Types of Threats and Attacks (cont…) Nontechnical Attacks: Social Engineering (cont…) A multipronged approach should be used to combat social engineering Education and training Policies and procedures Penetration testing 17

18 Types of Threats and Attacks (cont…) technical attack An attack perpetrated using software and systems knowledge or expertise 18

19 Types of Threats and Attacks (cont…) common (security) vulnerabilities and exposures (CVEs) Publicly known computer security risks, which are collected, listed, and shared by a board of security- related organizations (cve.mitre.org) Among them two has affected the lives of millions: –Distributed denial of service (DDoS) –Malicious code 19

20 Types of Threats and Attacks (cont…) denial-of-service (DoS) attack An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources distributed denial-of-service (DDoS) attack A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses the multiple computers to send a flood of data packets to the target computer 20

21 Figure. Using Zombies in a Distributed Denial-of-Service Attack 21

22 Anonymous – January 20,2012 Anonymous has launched distributed denial-of- service attacks against government and corporate sites, including US Department of Justice, FBI and Universal Music. Typically, supporters download software called Low Orbit Ion Canon (LOIC) that directs their computer to repeatedly try to connect to a target Web site. So many digital knocks on the door were shut a site down so no one can get in. 22

23 Types of Threats and Attacks (cont…) malware A generic term for malicious software A number of factors have contributed to the overall increase in malicious code. Among these factors, the following are paramount: –Mixing data and executable instructions –Increasingly homogenous computing environments –Larger clueless user base 23

24 Types of Threats and Attacks (cont…) –As the number of attacks increases, the following trends in malicious code are emerging: Increased speed and volume of attacks Reduced time between the discovery of a vulnerability and the release of an attack to exploit the vulnerability Remotely-controlled robot networks E-commerce is the most frequently targeted industry Attacks against Web application technologies are increasing 24

25 Types of Threats and Attacks (cont…) virus A piece of software code that inserts itself into a host, including the operating systems, in order to propagate; it requires that its host program be run to activate it worm A software program that runs independently, consuming the resources of its host in order to maintain itself, that is capable of propagating a complete working version of itself onto another machine 25

26 Managing EC Security Common mistakes in managing security risks: –Undervalued information –Narrowly defined security boundaries –Reactive security management –Dated security management processes –Lack of communication about security responsibilities 26

27 Managing EC Security (cont…) Security Risk Management A systematic process for determining the likelihood of various security attacks and for identifying the actions needed to prevent or mitigate those attacks –Three phases: Asset identification Risk assessment Implementation 27

28 Securing EC Communications (cont…) access control (authorization) The process that ensures that a person has the right to access certain resources authentication The process by which one entity verifies that another entity is who he, she, or it claims to be Two-factor authentication 28

29 Securing EC Communications passive tokens Storage devices (e.g., magnetic strips) that contain a secret code used in a two-factor authentication system active tokens Small, stand-alone electronic devices that generate one-time passwords used in a two-factor authentication system 29

30 Securing EC Communications (cont…) biometric systems Authentication systems that identify a person by measurement of a biological characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice 30

31 Securing EC Communications (cont…) public key infrastructure (PKI) A scheme for securing e-payments using public key encryption and various technical components encryption The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time- consuming for an unauthorized person to unscramble (decrypt) it 31

32 Securing EC Communications (cont…) Credit card number is encrypted while it travels through the network - 5342 8765 3652 9982 (plaintext) - A number is added to each number in the card (encryption algorithm) - For example, add 4 (the key) to each number - The original number becomes 9786 2109 7096 3326 (chippertext) 32

33 Securing EC Communications (cont…) Digital Signatures digital signature An identifying code that can be used to authenticate the identity of the sender of a document 33

34 Securing EC Communications (cont…) digital certificate Verification that the holder of a public or private key is who he or she claims to be certificate authorities (CAs) Third parties that issue digital certificates 34

35 Securing EC Communications (cont…) Secure Socket Layer (SSL) Protocol that utilizes standard certificates for authentication and data encryption to ensure privacy or confidentiality Transport Layer Security (TLS) As of 1996, another name for the SSL protocol 35

36 36 Digital Certificate - VeriSign

37 37

38 Summary of Security Efforts Digital Certificate –Verification of a legitimate Web site SSL – Encyrption of sensitive information while travelling through the Web Digital signature – Verification of the identity of the data sender (including e-mail) https – Indication of a secure Web site 3D Secure – Verification of the identity of the card holder 38

39 Securing EC Networks The selection and operation of available technologies should be based on certain design concepts, including: –Layered security –Controlling access –Role-specific security –Monitoring –Keep systems patched –Response team 39

40 Figure. Layered Security 40

41 Securing EC Networks (cont…) firewall A network node consisting of both hardware and software that isolates a private network from a public network packets Segments of data and requests sent from one computer to another on the Internet; consist of the Internet addresses of the computers sending and receiving the data, plus other identifying information that distinguish one packet from another 41

42 Securing EC Networks (cont…) packet filters Rules that can accept or reject incoming packets based on source and destination addresses and the other identifying information packet-filtering routers Firewalls that filter data and requests moving from the public Internet to a private network based on the network addresses of the computer sending or receiving the request 42

43 Securing EC Networks (cont…) –Some examples of rules are as follows; Block all packets sent from a given Internet address Block any packet coming from the outside that has the address of a computer on the inside 43

44 44

45 Securing EC Networks (cont…) personal firewall A network node designed to protect an individual user’s desktop system from the public network by monitoring all the traffic that passes through the computer’s network interface card. 45

46 Securing EC Networks (cont…) intrusion detection systems (IDSs) A special category of software that can monitor activity across a network or on a host computer, watch for suspicious activity, and take automated action based on what it sees 46

47 Securing EC Networks (cont…) demilitarized zone (DMZ) Network area that sits between an organization’s internal network and an external network (Internet), providing physical isolation between the two networks that is controlled by rules enforced by a firewall 47

48 Securing EC Networks (cont…) honeynet A way to evaluate vulnerabilities of an organization by studying the types of attacks to which a site is subjected using a network of systems called honeypots honeypots Production systems (e.g., firewalls, routers, Web servers, database servers) designed to do NO real work but that are watched and studied as network intrusions occur 48

49 49 Security Threats and Precautions

Download ppt "E-COMMERCE SECURITY ELECTRONIC COMMERCE. E-Commerce Security Successful e-tailing requires addressing online security and privacy fears of your online."

Similar presentations

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall
Chapter 11 E-Commerce Security.

Chapter 11 E-Commerce Security.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Chapter 11 E-Commerce Security

Chapter 11 E-Commerce Security
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 E-Commerce Security. © Prentice Hall 20042 Learning Objectives 1.Document the rapid rise in computer and network security attacks. 2.Describe.

Chapter 12 E-Commerce Security. © Prentice Hall Learning Objectives 1.Document the rapid rise in computer and network security attacks. 2.Describe.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Chapter 11 E-Commerce Security. Electronic CommercePrentice Hall © 2006 2 Learning Objectives 1.Document the trends in computer and network security attacks.

Chapter 11 E-Commerce Security. Electronic CommercePrentice Hall © Learning Objectives 1.Document the trends in computer and network security attacks.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Similar presentations

Ads by Google