1. Part 8: Securing Information Systems
Dr. Anita Kealy

2. Learning objectives
e-commerce crime and security problems, the key dimensions of e-commerce security.
Describe the business value of security and control.
Describe the components of an organizational framework for security and control.
Describe the tools and technologies used for safeguarding information resources.

3. E-commerce Security Environment
Overall size and losses of cybercrime unclear
Reporting issues
2016 survey: Average total cost of data breach to U.S. corporations was $4 million
Low-cost web attack kits
Online credit card fraud
Underground economy marketplace

4. What Is Good E-commerce Security?
To achieve highest degree of security
New technologies
Organizational policies and procedures
Industry standards and government laws
Other factors
Time value of money
Cost of security vs. potential loss
Security often breaks at weakest link

5. The e-Commerce Security Environment

6. Customer and Merchant Perspectives on the Different Dimensions of E-commerce Security

7. Tension between Security and Other Values
Ease of use
The more security measures added, the more difficult a site is to use, and the slower it becomes
Public safety and criminal uses of the Internet
Use of technology by criminals to plan crimes or threaten nation-state

8. Security Threats in an e-Commerce Environment
Three key points of vulnerability in e-commerce environment:
Client
Server
Communications pipeline (Internet communications channels)

9. An e-Commerce Environment

10. Vulnerable Points in an E-commerce Transaction

11. Insight on Technology: Think Your Smartphone Is Secure?
Class Discussion
Which mobile operating system do you think is more secure – Apple’s iOS or Google’s Android?
What steps, if any, do you take to make your smartphone more secure?
What qualities of apps make them a vulnerable security point in smartphone use?

12. System Vulnerability and Abuse
Malware (malicious software)
Viruses
Rogue software program that attaches itself to other software programs or data files in order to be executed
Worms
Independent programs that copy themselves from one computer to other computers over a network.
Worms and viruses spread by
Downloads (drive-by downloads)
, IM attachments
Downloads on Web sites and social networks

13. System Vulnerability and Abuse
Malware (cont.)
Smartphones as vulnerable as computers
Study finds 13,000 types of smartphone malware
Trojan horses
Software that appears benign but does something other than expected
SQL injection attacks
Hackers submit data to Web forms that exploits site’s unprotected software and sends rogue SQL query to database
Ransomware

14. System Vulnerability and Abuse
Malware (cont.)
Spyware
Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising
Key loggers
Record every keystroke on computer to steal serial numbers, passwords, launch Internet attacks
Other types:
Reset browser home page
Redirect search requests
Slow computer performance by taking up memory

15. System Vulnerability and Abuse
Hackers and computer crime
Hackers vs. crackers
Activities include:
System intrusion
System damage
Cybervandalism
Intentional disruption, defacement, destruction of Web site or corporate information system

16. System Vulnerability and Abuse
Spoofing
Misrepresenting oneself by using fake addresses or masquerading as someone else
Redirecting Web link to address different from intended one, with site masquerading as intended destination
Sniffer
Eavesdropping program that monitors information traveling over network
Enables hackers to steal proprietary information such as , company files, and so on

17. System Vulnerability and Abuse
Denial-of-service attacks (DoS)
Flooding server with thousands of false requests to crash the network
Distributed denial-of-service attacks (DDoS)
Use of numerous computers to launch a DoS
Botnets
Networks of “zombie” PCs infiltrated by bot malware
Can be used to launch very large attacks using many different techniques.
Deliver 90 percent of world spam, 80 percent of world malware
Grum botnet: controlled 560K to 840K computers, 18% of worldwide spam traffic (18 billion messages a day) until it was shut down on July 19, 2012.

18. System Vulnerability and Abuse
Identity theft
Theft of personal Information (social security ID, driver’s license, or credit card numbers) to impersonate someone else
Phishing
Setting up fake Web sites or sending messages that look like legitimate businesses to ask users for confidential personal data
Evil twins
Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet

19. System Vulnerability and Abuse
Pharming
Redirects users to a bogus Web page, even when individual types correct Web page address into his or her browser
Click fraud
Occurs when individual or computer program fraudulently clicks on online ad without any intention of learning more about the advertiser or making a purchase
Cyberterrorism and Cyberwarfare

20. 5 Expensive Data Breaches

21. Case Study: Cyberwarfare
Is Cyberwarfare a serious problem? Why? Why not?
Assess the management, organisation and technology factors that have created this problem.
What makes Stuxnet different from other cyberwarfare attacks? How serious a threat is this technology?
What solutions have been proposed for this problem? Do you think they will be effective? Why? Why not?

22. System Vulnerability and Abuse
Internal threats: Employees
Security threats often originate inside an organization
Inside knowledge
Sloppy security procedures
User lack of knowledge
Social engineering:
Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information

23. System Vulnerability and Abuse
Software vulnerability
Commercial software contains flaws that create security vulnerabilities
Hidden bugs (program code defects)
Zero defects cannot be achieved because complete testing is not possible with large programs
Flaws can open networks to intruders
Patches
Small pieces of software to repair flaws
Exploits often created faster than patches can be released and implemented

24. Business Value of Security and Control
Failed computer systems can lead to significant or total loss of business function.
Firms now are more vulnerable than ever.
Confidential personal and financial data
Trade secrets, new products, strategies
A security breach may cut into a firm’s market value almost immediately.
Inadequate security and controls also bring forth issues of liability.

25. Organisational Frameworks for Security and Control
Security policy
Acceptable use policy (AUP)
Authorization policies
Identity Management
Identity Management Systems
Disaster Recovery Planning
Business Continuity Planning
Information Systems Audit

26. Tools and Technologies for Security
Identity Management Software
Authentication
Firewall:
Combination of hardware and software that prevents unauthorized users from accessing private networks
Intrusion detection systems
Antivirus and antispyware software
Unified threat management (UTM) systems

27. Tools and Technologies for Security
Securing wireless networks
WEP security can provide some security by:
Assigning unique name to network’s SSID and not broadcasting SSID
Using it with VPN technology
Wi-Fi Alliance finalized WPA2 specification, replacing WEP with stronger standards
Continually changing keys
Encrypted authentication system with central server

28. Tools and Technologies for Security
Encryption:
Transforming text or data into cipher text that cannot be read by unintended recipients
Two methods for encryption on networks
Secure Sockets Layer (SSL) and successor Transport Layer Security (TLS)
Secure Hypertext Transfer Protocol (S-HTTP)

29. Tools and Technologies for Security
Two methods of encryption
Symmetric key encryption
Sender and receiver use single, shared key
Public key encryption
Uses two, mathematically related keys: Public key and private key
Sender encrypts message with recipient’s public key
Recipient decrypts with private key

30. Tools and Technologies for Security

31. Tools and Technologies for Security
Digital certificate:
Data file used to establish the identity of users and electronic assets for protection of online transactions
Uses a trusted third party, certification authority (CA), to validate a user's identity
CA verifies user’s identity, stores information in CA server, which generates encrypted digital certificate containing owner ID information and copy of owner’s public key
Public key infrastructure (PKI)
Use of public key cryptography working with certificate authority
Widely used in e-commerce

32. Tools and Technologies for Security
Ensuring system availability
Online transaction processing requires 100% availability, no downtime
Fault-tolerant computer systems
For continuous availability, for example, stock markets
Contain redundant hardware, software, and power supply components that create an environment that provides continuous, uninterrupted service

33. Tools and Technologies for Security
Security in the cloud
Responsibility for security resides with company owning the data
Firms must ensure providers provides adequate protection:
Where data are stored
Meeting corporate requirements, legal privacy laws
Segregation of data from other clients
Audits and security certifications
Service level agreements (SLAs)

34. Tools and Technologies for Security
Securing mobile platforms
Security policies should include and cover any special requirements for mobile devices
Guidelines for use of platforms and applications
Mobile device management tools
Authorization
Inventory records
Control updates
Lock down/erase lost devices
Encryption
Software for segregating corporate data on devices

35. E-commerce Payment Systems
In U.S., credit and debit cards are primary online payment methods
Other countries have different systems
Online credit card purchasing cycle
Credit card e-commerce enablers
Limitations of online credit card payment
Security, merchant risk
Cost
Social equity

36. How Online Credit Card Transaction Works

37. Alternative Online Payment Methods
Online stored value systems:
Based on value stored in a consumer’s bank, checking, or credit card account
Example: PayPal
Other alternatives:
Pay with Amazon
Visa Checkout, Mastercard’s MasterPass
Bill Me Later
WUPay, Dwolla, Stripe

38. Mobile payment Methods
Use of mobile phones as payment devices
Established in Europe and Asia
Expanding in United States
Apple Pay, Android Pay, Samsung Pay, PayPal, Square
Near field communication (NFC)
Social/Mobile peer-to-peer payment systems
Sending money through mobile app or website
Regulation of mobile wallets and rechargeable cards

39. Digital Cash and Virtual Currencies
Based on algorithm that generates unique tokens that can be used in “real” world
Example: Bitcoin
Virtual currencies
Circulate within internal virtual world
Example: Linden Dollars in Second Life, Facebook Credits
Typically used for purchasing virtual goods