Presentation is loading. Please wait.

Presentation is loading. Please wait.

Issues and Protections

Similar presentations


Presentation on theme: "Issues and Protections"— Presentation transcript:

1 Issues and Protections
E -Commerce Security and Fraud Issues and Protections Copyright © 2015 Springer Education Lecture 6 ReF: chapter 10

2 Learning Objectives Understand the importance and scope of security of information systems for EC. Understand about the major EC security threats, vulnerabilities, and technical attacks. Understand Internet fraud, phishing, and spam. Describe the information assurance security principles. Describe the major technologies for protection of EC networks. Describe various types of controls and special defense mechanisms. Discuss enterprise wide implementation issues for EC security. Understand why it is so difficult to stop computer crimes. Copyright © 2015 Springer Education 4-2

3 10.1 THE INFORMATION SECURITY PROBLEM
Copyright © 2015 Springer Education

4 10.1 THE INFORMATION SECURITY PROBLEM
A variety of activities and methods that protect information systems, data, and procedures from any action designed to destroy, modify, or degrade the systems and their operations. Computer security: The protection of data, networks, computer programs, computer power, and other elements of computerized information systems. Computer security aims to prevent, or at least minimize, the attacks. Copyright © 2015 Springer Education 4-4

5 10.1 THE INFORMATION SECURITY PROBLEM
Types of Attacks: Corporate Espionage: Many attacks target energy-related companies because their inside information is valuable. Political Espionage and Warfare: Political espionage and cyberwars are increasing in magnitude. Sometimes, these are related to corporate espionage. Copyright © 2015 Springer Education 4-5

6 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
Copyright © 2015 Springer Education

7 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
The EC Security Battleground: The essence of EC security can be viewed as a battleground between attackers and defenders and the defenders’ security requirements. Components of Battleground: The attacks, the attackers, and their strategies. The assets that are being attacked (the targets) in vulnerable areas. The security defense, the defenders, and their methods and strategy. Copyright © 2015 Springer Education 4-7

8 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
Unintentional Threats Categories: Human errors: They can occur in the design of the hardware, software, or information systems. It can also occur in programming , testing and data collection. Environmental Hazards: Include natural disasters and other environmental conditions outside of human control; sand storms, floods and fires. Malfunctions in the Computer System: Defects can be the result of poor manufacturing, defective materials, memory leaks, and outdated or poorly maintained networks. Copyright © 2015 Springer Education 4-8

9 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
EC Security Requirements: The following set of security requirements are used to assure success and to minimize EC transaction risks: Authentication: A process used to verify (assure) the real identity of an EC entity, which could be an individual, software agent, computer program, or EC website. Authorization: The provision of permission to an authenticated person to access systems and perform certain operations in those specific systems. Copyright © 2015 Springer Education 4-9

10 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
EC Security Requirements : Auditing When a person or program accesses a website or queries a database, various pieces of information are recorded or logged into a file. Availability Assuring that systems and information are available to the user when needed and that the site continues to function. Non repudiation: (Close to authentication) The assurance that online customers or trading partners will not be able to falsely deny their purchase, transaction, sale, or other obligation. Copyright © 2015 Springer Education 4-10

11 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE
The Defense: Defenders, Strategy, and Methods: EC security strategy consists of multiple layers of defense that includes several methods. This defense aims to deter, prevent, and detect unauthorized entry into an organization’s computer and information systems. Deterrent methods: countermeasures that make criminals abandon their idea of attacking a specific system. Prevention measures: help stop unauthorized people from accessing the EC system. Detection measures: help find security breaches in computer systems. Copyright © 2015 Springer Education 4-11

12 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY
Copyright © 2015 Springer Education

13 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY
Information Assurance (IA): - Making sure that a customer is safe and secure while shopping online is a crucial part of improving the online buyer’s experience. - Measures taken to protect information systems and their processes against all risks. In other words assure the systems’ availability when needed. The assurance includes all tools and defense methods. Information Assurance (IA) model: A point of reference used to identify problem areas and evaluate the information security of an organization. The use of the model includes three necessary attributes: Confidentiality. Integrity. Availability. The success and security of EC can be measured by these attributes. Copyright © 2015 Springer Education 4-13

14 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY
Confidentiality: The assurance of data secrecy and privacy. Namely, the data is disclosed only to authorized people (encryption and passwords). Integrity: The assurance that data are accurate and that they cannot be altered. The integrity attribute needs to be able to detect and prevent the unauthorized creation, modification, or deletion of data or messages in transit. Availability: The assurance that access to any relevant data, information websites, or other EC services and their use is available in real time, whenever and wherever needed. Copyright © 2015 Springer Education 4-14

15 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY
E-Commerce Security Strategy: EC security needs to address the IA model and its components. The Phases of Security Defense: Prevention and deterrence (preparation): Good controls may prevent criminal activities and human error from occurring. Initial Response: Verifying if there is an attack. If so, determine how the intruder gained access to the system and which systems and data are infected or corrupted. Detection: The earlier an attack is detected, the easier it is to fix the problem, and the smaller amount of damage is done. Containment (contain the damage): It is to minimize or limit losses once a malfunction has occurred. Copyright © 2015 Springer Education 4-15

16 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY
The Phases of Security Defense: Eradication: Remove the malware from infected hosts. Recovery: Recovery needs to be planned for to assure quick return to normal operations at a reasonable cost. One option is to replace parts rather than to repair them. Correction: Finding the causes of damaged systems and fixing them. Awareness and compliance: All organization members must be educated about possible hazards and must comply with the security rules and regulations. Copyright © 2015 Springer Education 4-16

17 10.9 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY
Copyright © 2015 Springer Education

18 Drivers for EC security management:
10.9 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY Drivers for EC security management: The laws and regulations with which organizations must comply. The conduct of global EC. Information assets have become critical to the operation of many businesses. New and faster information technologies are shared throughout organizations. The complexity of both the attacks and the defense require an organization wide collaboration approach. Copyright © 2015 Springer Education 4-18

19 10.9 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY
EC Security Policies and Training: An important security task is developing an organizational EC security policy, as well as procedures for specific security and EC activities such as access control and protecting customer data. The policies need to be disseminated throughout the organization and necessary training needs to be provided. Copyright © 2015 Springer Education 4-19

20 10.9 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY
EC Security Policies and Training: First example, To protect privacy during data collection, policies need to specify that customers should: Know that data is being collected. Give their permission for the data to be collected. Have knowledge and some control over how the data is controlled and used. Be informed that the information collected is not to be shared with other organizations. Second example, To protect against criminal use of social media, you can: Develop policies and procedures to exploit opportunities but provide customer protection. Educate employees and others about what is acceptable and what is not acceptable. Copyright © 2015 Springer Education 4-20

21 10.9 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY
The major reasons Internet crime is so difficult to stop: Making Shopping Inconvenient. Lack of Cooperation by Business Partners. Shoppers’ Negligence. Ignoring EC Security Best Practices. Design and Architecture Issues. Lack of Due Care in Business Practices. Copyright © 2015 Springer Education 4-21


Download ppt "Issues and Protections"

Similar presentations


Ads by Google