Presentation is loading. Please wait.

Presentation is loading. Please wait.

Learning Objectives Understand the importance and scope of security of information systems for EC. Describe the major concepts and terminology of EC security.

Similar presentations


Presentation on theme: "Learning Objectives Understand the importance and scope of security of information systems for EC. Describe the major concepts and terminology of EC security."— Presentation transcript:

0 E-Commerce Security and Fraud Issues and Protections
Chapter 10 E-Commerce Security and Fraud Issues and Protections

1 Learning Objectives Understand the importance and scope of security of information systems for EC. Describe the major concepts and terminology of EC security. Understand about the major EC security threats, vulnerabilities, and technical attacks. Understand Internet fraud, phishing, and spam. Describe the information assurance security principles

2 Learning Objectives Describe the major technologies for protection of EC networks, including access control. Describe various types of controls and special defense mechanisms. Describe consumer and seller protection from fraud. Discuss enterprisewide implementation issues for EC security. Understand why it is so difficult to stop computer crimes. Discuss the future of EC.

3 HOW STATE UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE
The Problem The College does not regulate the types of devices people use in its network Students, faculty, and networks are vulnerable to a variety of security issues originating from social media websites The College encourages the use of social media as a collaborative, sharing, and learning environment

4 HOW STATE UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE
Social media is also a leading target for malware writers, an ideal place for cybercriminals to insert viruses and hack into systems The attempt to use intelligent agents (which some students objected to having on their computers) as guards failed

5 HOW STATE UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE
The university decided to rewrite its old usage policy to meet the needs of current technology Bandwidth usage was a problem The high level usage for non educational related activities sometimes interfered with classroom or research needs

6 HOW STATE UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE
The Solution All students, faculty, and staff received a user ID for computer utilization Next, a new usage policy was implemented This policy was communicated to all users and was enforced by monitoring the usage for each ID, watching network traffic, and performing behavioral analysis

7 HOW STATE UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE
The Results The modified system monitors performance and automatically sends alerts to management when deviations from the policy occur The users are contacted via and alerted to the problem via the user can go to the student computer lab for problem resolution Bandwidth is controlled only when classes are in session

8 LESSONS LEARNED FROM THE CASE
This case demonstrates two problems: possible malware attacks and insufficient bandwidth The university can monitor when users are on the university network, look for any unusual activity, and take appropriate action if needed, demonstrates one of the defense mechanisms used by an organization

9 THE INFORMATION SECURITY PROBLEM
What Is EC Security? The Status of Computer Security in the United States Personal Security National Security Security Risks for 2014 and 2015 Cyberespionage and cyberwars Attacks are now also against mobile assets Attacks on social networks and social software tools

10 Figure 10.1 Major EC Security Management Concerns
Advanced Generic viruses and malware Protecting customer data and privacy Spam, DoS Clogged systems Fraud by buyers Fraud by sellers Attacking mobile devices, systems Business continuity (interrupting EC) Advance defence systems Cross border espionage and cyberwars Social engineering, Phishing Attacks on social networks

11 THE INFORMATION SECURITY PROBLEM
Security Risks in Mobile Devices Cyberwars and Cyberespionage Across Borders Cyberwarefare Cyberespionage Attacking Information Systems Types of Attacks Corporate espionage Political espionage and warfare

12 THE INFORMATION SECURITY PROBLEM
The Drivers of EC Security Problems The Internet’s Vulnerable Design The Spread of Computerized Medical Data The Shift to Profit-Induced Crimes Computers Everywhere The Increased Volume of Wireless Activities and the Number of Mobile Devices The Globalization of the Attackers

13 THE INFORMATION SECURITY PROBLEM
The Darknet and the Underground Economy Darknet* The Internet Underground Economy* The Internet Silk Road Keystroke Logging in the Underground Economy Keystroke logging (keylogging) The Explosion of Social Networking The Dynamic Nature of EC Systems and the Acts of Insiders The Sophistication of the Attacks The Cost of Cyber Crime

14 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
Basic Security Terminology Business continuity plan* Cybercrime* Cybercriminal* Exposure* Fraud* Malware (malicious software)* Phishing* Risk* Spam* Vulnerability* Zombie*

15 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
The EC Security Battleground The Threats, Attacks, and Attackers Unintentional Threats Human Error Environmental Hazards Malfunctions in the Computer System Intentional Attacks and Crimes The Criminals and Methods Hacker* Cracker*

16 Figure 10.2 The EC Security Battleground

17 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
The Targets of the Attacks in Vulnerable Areas Vulnerable Areas Are Being Attacked Vulnerability Information Attacking Attacking Smartphones and Wireless Systems The Vulnerability of RFID Chips The Vulnerabilities in Business IT and EC Systems Pirated Videos, Music, and Other Copyrighted Material

18 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
EC Security Requirements Authentication* Authorization* Auditing Availability Nonrepudiation*

19 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
The Defense: Defenders, Strategy, and Methods EC Defense Programs and Strategy EC security strategy* Deterrent methods* Prevention measures* Detection measures* Information assurance (IA)*

20 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
Possible Punishment Defense Methods and Technologies Recovery

21 TECHNICAL MALWARE ATTACK METHODS: FROM VIRUSES TO DENIAL OF SERVICE
Technical and Nontechnical Attacks: An Overview The Major Technical Attack Methods Malware (Malicious Code): Viruses, Worms, and Trojan Horses Viruses*

22 Figure 10.3 The Major Technical Security Attack Methods (in descending order of importance)

23 Figure 10.4 How a Computer Virus Can Spread

24 TECHNICAL MALWARE ATTACK METHODS: FROM VIRUSES TO DENIAL OF SERVICE
Worms* Macro Viruses and Microworms* Trojan horse* Some Security Bugs: Heartbleed and Crytolocker Heartbleed Cryptolocker Denial-of-service (DoS) attack* Botnets* Home Appliance “Botnet” Malvertising

25 NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD
Social Engineering and Fraud Social Phishing Example: The Target Security Breach Fraud and Scams on the Internet Examples of Typical Online Fraud Attacks Types of Scams - Literary scams, jury duty scams, banking scams, scams, lottery scams, Nigerian scams (or “419” fraud), credit cards scams, work at/from home scams, IRS scams, and free vacation scams Scams

26 From Phishing to Financial Fraud and Crime
Figure 10.5 Social Engineering: From Phishing to Financial Fraud and Crime

27 Figure 10.6 How Phishing Is Accomplished

28 NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD
Top 10 Attacks and Remedies Identity Theft and Identify Fraud Identity theft* Identity Fraud* Cyber Bank Robberies

29 NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD
Spam Attacks spam* Typical Examples of Spamming Spyware*

30 NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD
Social Networking Makes Social Engineering Easy How Hackers Are Attacking Social Networks Spam in Social Networks and in the Web 2.0 Environment Automated Blog Spam Search Engine Spam and Splogs Search engine spam* Spam sites* Splogs* Data Breach (Leak)*

31 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY
CIA security triad* Confidentiality, Integrity, and Availability Confidentiality* Integrity* Availability* Authentication, Authorization, and Nonrepudiation E-Commerce Security Strategy

32 Figure 10.7 E-Commerce Security Strategy Framework

33 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY
The Defense Side EC Systems Defending access to computing systems, data flow, and EC transactions Defending EC networks General, administrative, and application controls Protection against social engineering and fraud Disaster preparation, business continuity, and risk management Implementing enterprisewide security programs Conduct a vulnerability assessment and a penetration test Back up the data

34 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY
Assessing Vulnerabilities and Security Needs Conduct a vulnerability assessment of your EC systems Vulnerability assessment* Conduct penetration (pen) tests (possibly implemented by hiring ex-hackers) to find the vulnerabilities and security weaknesses of a system Penetration test (pen test)*

35 DEFENDING INFORMATION SYSTEMS AND E-COMMERCE
The Defense I: Access Control, Encryption, and PKI Access Control* Authorization and Authentication Authentication Biometric Systems Biometric authentication* Biometric systems* Thumbprint or fingerprint Retinal scan

36 DEFENDING INFORMATION SYSTEMS AND E-COMMERCE
Encryption and the One-Key (Symmetric) System Encryption* Plaintext* Ciphertext* Encryption algorithm* Key (key value)* Symmetric (Private) Key Encryption*

37 Figure 10.8 Symmetric (Private) Key Encryption

38 DEFENDING INFORMATION SYSTEMS AND E-COMMERCE
Public Key Infrastructure (PKI)* Public (Asymmetric) Key Encryption* Public key* Private key* The PKI Process: Digital Signatures and Certificate Authorities Digital signatures* Certificate Authority (CAs)* Secure Socket Layer (SSL)

39 DEFENDING INFORMATION SYSTEMS AND E-COMMERCE
The Defense II: Securing E-Commerce Networks Firewalls* The Dual Firewall Architecture: The DMZ Virtual Private Networks (VPNs)* Intrusion Detection Systems (IDS)* Dealing with DoS Attacks

40 Figure 10.9 The Two Firewalls: DMZ Architecture

41 DEFENDING INFORMATION SYSTEMS AND E-COMMERCE
The Defense III: General Controls, Spam, Pop Ups, and Social Engineering Controls General controls* Application controls* General, Administrative, and Other Controls Physical Controls Administrative Controls Protecting Against Spam

42 DEFENDING INFORMATION SYSTEMS AND E-COMMERCE
Protecting Your Computer from Pop-Up Ads Protecting Against Other Social Engineering Attacks Protecting Against Phishing Protecting Against Malvertising Protecting Against Spyware Protecting Against Cyberwar Business Continuity and Disaster Recovery Example: Hospital Paid Ransom after Malware Attack

43 CONSUMER AND SELLER PROTECTION FROM ONLINE FRAUD
Consumer (Buyer) Protection Representative Tips and Sources for Your Protection Users should make sure that they enter the real website of well-known companies Check any unfamiliar site for an address and telephone and fax numbers Investigate sellers with the local chamber of commerce, Better Business Bureau, or TRUSTe

44 CONSUMER AND SELLER PROTECTION FROM ONLINE FRAUD
Third-Party Assurance Services Protection by a Third-Party Intermediary TRUSTe’s “Trustmark” Better Business Bureau Which? WebTrust Seal Evaluation by Consumers The Computer Fraud and Abuse Act (CFAA)*

45 CONSUMER AND SELLER PROTECTION FROM ONLINE FRAUD
Customers who deny that they placed an order Customers who download copyrighted software and sell it to others Customers who give fraudulent payment information (false credit card or a bad check) for products and services that they buy Imposters – sellers using the name of another seller What Can Sellers Do?

46 CONSUMER AND SELLER PROTECTION FROM ONLINE FRAUD
Protecting Marketplaces and Social Network Services Protecting Both Buyers and Sellers: Using Electronic Signatures and Other Security Features Electronic signature* Authentication Fraud Detecting Systems

47 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY
The Drivers of EC Security Management The laws and regulations with which organizations must comply The conduct of global EC Information assets have become critical to the operation of many businesses New and faster information technologies are shared throughout organizations The complexity of both the attacks and the defense require an organization-wide collaboration approach Senior Management Commitment and Support

48 Figure 10.10 Enterprisewide EC Security and Privacy Process

49 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY
EC Security Policies and Training Know that data is being collected, and when it is done Give their permission for the data to be collected Have knowledge and some control over how the data is controlled and used Be informed that the information collected is not to be shared with other organizations

50 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY
EC Risk Analysis and Ethical Issues Business impact analysis (BIA)* Ethical Issues

51 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY
Why Is It Difficult to Stop Internet Crime? Making Shopping Inconvenient Lack of Cooperation by Business Partners Shoppers’ Negligence Ignoring EC Security Best Practices Design and Architecture Issues Lack of Due Care in Business Practices Standard of due care*

52 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY
Protecting Mobile Devices, Networks, and Applications Mobile Security Issues The Defense

53 MANAGERIAL ISSUES What steps should businesses follow in establishing a security plan? Should organizations be concerned with internal security threats? What is the key to establishing strong e-commerce security?

54 SUMMARY The importance and scope of EC information security
Basic EC security issues Threats, vulnerabilities, and technical attacks Internet fraud, phishing, and spam Information assurance

55 SUMMARY Securing EC access control and communications
The different controls and special defense mechanisms Fraud on the Internet and how to protect consumers and sellers against it Enterprisewide EC security Why is it so difficult to stop computer crimes The future of EC

56 HOW ONE BANK STOPPED SCAMS, SPAMS, AND CYBERCRIMINALS
BankWest of South Dakota An increasing number of incidents of social engineering experienced by customers Sweetheart schemes Letters, postal service, or Telephone scams Cell phone scams The bank now provides information about social engineering schemes on its website

57 HOW ONE BANK STOPPED SCAMS, SPAMS, AND CYBERCRIMINALS
It is critical to combat social engineering attempts in order to increase customer confidence in Internet security The bank’s information security team regularly attend workshops and participate in forums related to social engineering and other fraud schemes Employee Rewards

58 HOW ONE BANK STOPPED SCAMS, SPAMS, AND CYBERCRIMINALS
The Results Although the number of schemes has not decreased, the number of employees reporting such schemes has increased significantly


Download ppt "Learning Objectives Understand the importance and scope of security of information systems for EC. Describe the major concepts and terminology of EC security."

Similar presentations


Ads by Google